Of course, these are not being good times for Twitter. This 2022, the social network has entered a circle of self-destruction that we could not have imagined before. In addition to the controversial purchase of this by Elon Musk, the security and protection of user data is not exactly shining for its effectiveness. And it is that, this same weekend, a massive data leak which has been possible using a vulnerability in the API corrected neither more nor less than last January.
In January of this same year, Twitter engineers corrected a very serious vulnerability in the platform’s own API that allowed access to the data of other users. Until now, this vulnerability had been left as just one more, fixed internally before it was too late, and that’s it. However, last July, a hacker began to sell a database of this social network with personal and private information of more than 5.4 million users. His asking price for the database was $30,000.
Among other things, the information that could be found in it were Twitter IDs, names, usernames, passwords, verification statuses… but also verified phone numbers and email addresses. All this information has been obtained through reverse requests to the API, which, based on the user ID, the API returned the rest of the information.
In addition to the database of 5.4 million users, the data of more than 1.4 million users was also obtained from a different API, especially users with suspended and blocked profiles, making a total of 7 million accounts. violated Of course, this second database has only been shared with a very small circle of trusted “hackers”.
Now, this database has begun to be shared privately through various specialized forums. Therefore, anyone who knows how to search can get hold of it. This database includes the 5.4 million stolen accounts, plus the 1.4 million suspended account data, making a total of 6.7 million Twitter user entries.
The problem is that, although they seem like many accounts to us, it is only a small part of something bigger.
A database with tens of millions of users
Although until now no information about it had been leaked, everything points to another group of hackers managing to take advantage of the API vulnerability before it was fixed to create a database with tens of millions of users Twitter. In this database the same information would appear as in the previous one, since they were the data that the API allowed to access, highlighting, especially, the telephone numbers and validated emails.
The pirates who are now selling this massive database also have it very well ordered and organized, and can even filter by specific countries to carry out targeted attacks.
What I can do?
User passwords and bank details entered, for example, to pay for Twitter Blue, have not been compromised. But yes, the email addresses and telephone numbers have been. This can lead to an exponential increase in targeted cyber attacks and phishing. Therefore, this is where we have to pay special attention.
It is very likely that deceit calls will increase very soon, or emails that seek us to enter links, download files, or provide them with more personal data. Therefore, it is necessary to take extreme precautions to avoid that, because of this new attack on Twitterwe end up in trouble.
