Twitter API safety breach exposes 5.4 million customers’ information

In July this 12 months, cybercriminals started promoting the consumer information of greater than 5.4 million Twitter customers on a hacking discussion board after exploiting an API vulnerability disclosed in December 2021. 

Just lately, a hacker launched this info without cost, simply as different researchers reported a breach affecting thousands and thousands of accounts throughout the EU and U.S. 

Based on a blog post from Twitter in August, the exploit enabled hackers to submit e-mail addresses or telephone numbers to the API to determine which account they had been linked to.  

Whereas Twitter mounted the vulnerability in January this 12 months, it nonetheless uncovered thousands and thousands of customers’ non-public telephone numbers and e-mail addresses, and highlights that the impression of uncovered APIs could be devastating for contemporary organizations.  

The true impression of API assaults

The Twitter breach comes amid a wave of API assaults, with Salt Safety reporting that 95% of organizations skilled safety issues in manufacturing APIs over the previous 12 months, and 20% suffered a knowledge breach on account of safety gaps in APIs. 

This excessive fee of exploitation matches with Gartner’s prediction that API assaults would grow to be the most-frequent assault vector this 12 months.  

One of many unlucky realities of API assaults is that vulnerabilities in these methods present entry to unprecedented quantities of information, on this case, the information of 5.4 million customers or extra. 

“As a result of APIs are meant for use by methods to speak with one another and trade large quantities of information — these interfaces characterize an alluring goal for malicious actors to abuse,” mentioned Avishai Avivi, SafeBreach CISO. 

Avivi notes that these vulnerabilities present direct entry to underlying information. 

“Whereas conventional software program vulnerabilities and API vulnerabilities share some widespread traits, they’re completely different at their core. APIs, to an extent, belief the system that’s attempting to connect with them,” Avivi mentioned. 

This belief is problematic as a result of as soon as an attacker positive factors entry to an API, they’ve direct entry to a corporation’s underlying databases, and all the knowledge contained inside them. 

What’s the risk now? Social engineering

Probably the most vital risk rising from this breach is social engineering. Utilizing the names and addresses harvested from this breach, it’s attainable that cybercriminals will goal customers with e-mail phishing, voice phishing, and smishing scams to try to trick customers into handing over private info and login credentials. 

“With a lot info disclosed, criminals might fairly simply use it to launch convincing social engineering assaults towards customers. This may very well be not solely to focus on their Twitter accounts, but in addition through impersonating different companies reminiscent of on-line procuring websites, banks and even tax workplaces,” mentioned Javvad Malik, safety consciousness advocate with KnowBe4. 

Whereas these scams will goal finish customers, organizations and safety groups can present well timed updates to make sure that customers are conscious of the threats they’re almost certainly to counter and the best way to handle them. 

“Individuals ought to all the time stay looking out for any suspicious communications, particularly the place private or delicate info is requested reminiscent of passwords,” Malik mentioned. “When unsure, folks ought to contact the alleged service supplier instantly or log onto their account instantly.” 

It’s additionally a good suggestion for safety groups to remind workers to activate two-factor authentication on their private accounts to cut back the probability of unauthorized logins.