Attackers behind the recent Twitter leak that exposed details of over 400 million users opted to share details of millions of Twitter users for free.
Threat actors posted an ad on a popular hacking forum claiming they are giving away over 200 million unique records collected in a recent Twitter data leak.
According to Hudson Rock, an Israeli cyber-intelligence company, the database attackers are giving away contains 235 million unique records of Twitter users and their email addresses.
“[This] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing. This is one of the most significant leaks ever,” the company tweeted.
Leaked username and email combinations might reveal the identities of account holders operating under a pseudonym or anonymously. Users are also advised to stay vigilant as threat actors could employ the dataset for targeted phishing campaigns and scams.
In late December, threat actors posted an ad on the same hacker forum, claiming they were selling the data of over 400 million Twitter users. The dataset included Twitter handles, usernames, email addresses, and phone numbers. Threat actors behind the leak aimed to sell the data for up to $200k.
Security experts think that consumers are getting used to their data being leaked left and right and are unlikely to be shocked by the Twitter leak.
Meanwhile, data protection watchdogs will keep a keen eye on Elon Musk’s company. Ireland’s Data Protection Commission (DPC) said it “will examine Twitter’s compliance with data protection law in relation to that security issue” after last week’s leak.
Researchers have already noted that prominent figures had their Twitter accounts hacked after attackers put up an ad selling Twitter user data.
API problems
Threat actors likely obtained the Twitter data using the same practice. According to Alon Gal, Co-Founder and CTO of Hudson Rock, the Twitter data might have been obtained from an application programming interface (API) vulnerability.
“The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email/phone and retrieve a Twitter profile, “Gal said in a post on Linkedin.
The bug Gal was writing about is the same that piqued the interest of Irish regulators over Twitter losing the data of 5.4m users.
The flaw allowed them to input phone numbers and email addresses into Twitter API and receive a Twitter user ID, eventually allowing them to create a dataset consisting of both public and private data.
