Massive Twitter data breach worse than reported; more hacks

A massive Twitter data breach last year that exposed more than five million phone numbers and email addresses was worse than initially reported. We have shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by multiple sources.

It had previously been thought that only one hacker gained access to the data, and Twitter’s belated admission reinforced that impression…

Background

HackerOne first reported the vulnerability back in January, which allowed anyone to enter a phone number or email address and then find the associated twitterID. This is an internal identifier used by Twitter, but can easily be converted to a Twitter handle.

A bad actor would be able to put together a single database that combined Twitter handles, email addresses and phone numbers.

At the time, Twitter admitted that the vulnerability had existed and was subsequently patched, but said nothing about anyone exploiting it.

Restore privacy subsequently reported that a hacker had actually used the vulnerability to obtain personal data from millions of accounts.

A confirmed Twitter vulnerability from January has been exploited by a threat actor to obtain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, which was made public earlier today.

Twitter subsequently confirmed the hack.

In July 2022, we learned through a press report that someone had potentially exploited this and offered to sell the information they had collected. After reviewing a sample of the data available for sale, we confirmed that a bad actor had exploited the issue before it was resolved.

Massive Twitter data breach plural, not singular

There were suggestions on Twitter yesterday that the same personal data had been accessed by several bad actors, not just one. 9to5Mac have now seen evidence that this is indeed the case. We were shown a dataset that contained the same information in a different format, with a security researcher stating that it was “definitely a different threat actor.” The source told us this was just one of a number of files they’ve seen.

The data includes Twitter users in the UK, almost all EU countries and parts of the US.

I have received several files, one per telephone number country code, containing the telephone number <-> Twitter account name pairing for the entire country phone number space from +XX 0000 to +XX 9999.

Any twitter account that had Discoverability | Phone setting activated at the end of 2021 was listed in the dataset.

The option referred to here is a setting that is hidden pretty deep in Twitter’s settings and appears to be turned on by default. Here is a direct link.

Bad actors are believed to have been able to download around 500,000 records per hour, and the data has been offered for sale by several sources on the dark web for around $5,000.

The security expert who tweeted about it has been suspended

Another security specialist who tweeted about the issue yesterday had their Twitter account suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction and was confirmed just within minutes.

They told me that multiple hackers obtained the same data and combined it with data from other breaches.

There appear to have been multiple threat actors operating independently collecting this data throughout 2021 for both phone numbers and emails.

The email-twitter pairings were derived by running existing large databases of more than 100 million email addresses through this Twitter vulnerability.

We wanted to reach out to Twitter for comment, but Musk fired the entire media relations team, so…

Photo: Unsplash

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

Add a Comment

Your email address will not be published. Required fields are marked *