A Twitter data breach announced earlier this year has been revealed to be much worse than thought. It appears that a database containing emails and phone numbers of 5.4 million Twitter users is being shared among numerous hackers, rather than just one offender.
Another database, reportedly featuring records of up to 17 million Twitter users, has also been compiled, apparently using the same methods, though this has not yet been released online. These breaches do not bode well for Twitter’s overall cybersecurity, and could cause a “real risk of backlash on the company,” an expert told Tech Monitor.
How the Twitter data leak happened
The database of the 5.4 million database was released on clear web hacking forum Breached.co last week, and is available to access for free. It has apparently already been accessed by multiple hackers, who have been passing details of users around on the dark web.
It features data from a leak that was uncovered in July, when the private details of millions of Twitter users were found to be on sale online for $30,000. The hackers apparently accessed the data via a vulnerability in an API that Twitter had been aware of since January, which allowed hackers to match email addresses and phone numbers with Twitter handles.
Twitter acknowledged the incident in August. “This bug resulted from an update to our code in June 2021,” a company statement said. “In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
Another dataset containing a dump of up to 17 million Twitter records is also on the market, according to security researcher Chad Loder. These have not yet been made available for free, but are apparently broken up by country and area codes, including Europe, Israel, and the USA. The number of records in this dataset has not been verified.
What is clear is that the technique has been widely exploited, Loder said. “There appear to have been multiple threat actors, operating independently, harvesting this data throughout 2021 for both phone numbers and emails,” Loder explained. “The email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”
Loder’s Twitter account has since been suspended, but he has continued to post details of the breach on his Mastodon account.
Twitter’s cybersecurity problems set to continue
Tech Monitor has previously reported on the potential cybersecurity problems created by Musk’s $44bn takeover of Twitter, which led to half of the company’s staff being made redundant. Since Musk bought the company in October he has pursued a stark reorganisation of the company that some analysts worry is having a negative effect on the basic running of the site.
Though the current problems started before Musk took charge, the platform is likely to have difficulty resolving issues like this in future with so many staff having departed, says Tom Gol, CTO for research at security vendor Armis. “Now, they have a whole new privacy challenge and security risk, which is being exacerbated by employees being let go or leaving – it’s natural that there will be distractions,” Gol says. “It’s these newer sets of challenges that are going to be creating issues. What should drive concern is if there will be enough procedural rigour without the leader at the helm.”
Gol added that Twitter had removed the multi-factor identification security protocol as part of a cull of 80% of the microservices running on the platform. That “doesn’t bode well for the future,” he said.
He adds that Twitter users smarting from the potential exposure of their personal details may have to get used to their information being put at risk. “When services get shut down there should be a wider understanding of the impact that it will have on the business,” Gol says. “With this new frontier of Twitter, it is possible to impersonate anyone or anything around the globe. If we couple that with the determination of hacktivists or even ex-employees, there is a real risk of backlash on the company – and Twitter users could be the ones in the firing line as a result.”
In more positive security news, Musk announced over the weekend that Twitter direct messages would be end-to-end encrypted under proposed changes to the platform, but Gol is sceptical the feature will be introduced imminently. “The platform previously attempted to implement encrypted DMs back in 2018 and gave up for an unknown reason,” Gol says. “Given that the same task took Meta over a year, and that Twitter recently laid off a significant part of its workforce, it may take some time before we see this feature rolled out.”