An API flaw that was patched in January allowed for the theft of over 5.4 million Twitter user records that contained private information. These records were made available for free sharing on a hacker forum. A security researcher has also revealed another enormous, possibly more significant, data dump of millions of Twitter records, illustrating how widely this flaw was utilized by threat actors. The material is made up of public data that has been scraped as well as secretive email addresses and phone numbers. The majority of the material was made up of publicly available details such Twitter IDs, names, login names, localities, and verified statuses; however, there was also private information like phone numbers and email addresses.
There are several things to learn from this – anomality detection where we see excessive and increased use of a function would have been awesome here, but it is hard, and it is always simple to state those things in hindsight – it is however the difference between building something to not be insecure or build something to be secure.
The immediate issues here will be leaked private numbers which may lead to risks to victims of stalking or those voicing unpopular opinions, as well as of course for celebrities. What is also increasing in probability here is simswapping attacks targeted at stealing access to popular accounts. Strangely, one of the entities that need to improve their security game and attention here is once again telcos where their care or lack thereof can be an important difference between an incident and disasters.
Also note that if you were attempting to stay anonymous on twitter, correlations between your email and phone on your identity on other platforms may lead to your identification, so if you have voiced statements, you are not ready to be associated with today, consider how to manage a situation where this might get exposed. If you used the platform for political statements and are in a place where this can present you problems, so be aware.
Overall, this is a massive privacy breach, but in a context where privacy can be impacted due to the nature of the platform, this quickly becomes substantially more problematic in real life for individuals than cyber.
The report that threat actors released and shared user records containing non-public information of over 5.4 million users can have serious negative implications for the victims. Threat actors may use this information to build profiles for much more successful and potentially lucrative attack methods such as phishing and smishing. Every enterprise should take a lesson out of this situation and protect all of their data with data-centric security—not just borders and perimeters around their data—no matter how harmless those data elements seem to be. Format-preserving encryption and tokenization can make phone numbers incomprehensible, which would have thwarted an effort such as this one to create a richer dataset of PII. The lesson should be clear—every piece of information has potential value to hackers and other bad actors, so protect that data accordingly.
This particular attack has just been acknowledged by Twitter. The public disclosure of Twitter users’ phone numbers enables an attacker to attempt to bypass 2FA or MFA, if enabled.
Mobile phone numbers are just one step in the attack path to targeting users through MFA fatigue, but attackers may take the easy path and sell the data on to scammers to make themselves a bit of money.
As our research has held again and again, if you have an unauthenticated API endpoint that retrieves data, the odds of being breached are extremely high. If the endpoint isn’t cataloged but still active, this shadow endpoint can leak massive amounts of data and lead to breaches like this. This keeps repeating itself over and over as API data breaches become important in the realm of the attacker.
Just like in 2013 when application vulnerabilities really started to become known to the rest of the world, attackers pivot to the new ways of succeeding in the attack. Now we are in the time of the API data breach where attackers are just starting to learn the simplicity of these attacks and really understand how to make the application do the attacker’s bidding.
Knowing what API endpoints are out there, what data can be accessed through them is a great first step. Protecting endpoints with Authentication, ensuring there isn’t data leaking out via excessive information in API responses and having a good understanding of what is out there, can take an API security program to the next level.
API (Application Programmer Interface) security appears to be one of the most underestimated areas of cyber security. APIs allow computers to communicate with one another, and accounts for ~80% of all the traffic that traverses the Internet. In short, APIs are very important and should be treated as such.
Yet, we still see common security related issues around APIs; most notably authentication (or lack of) based issues, a lack of resource and rate limiting, and generic API security misconfigurations like TLS, error handling and logging. We know from recent data breaches that a combination of these can yield significant amounts of personal data.
APIs, like all other forms of Internet facing infrastructure, should be hardened from a security perspective, this can be achieved through appropriate threat modelling, security design and focused Penetration Testing.
It’s also important to consider APIs in terms of asset management, all too often APIs have been compromised without the client knowing the API existed in the first place. To be able to secure something, you must first know you have it or intend to have it.