Twitter API vulnerability leaves millions exposed

The data breach has resulted in millions of account details being dumped on hacker forums.
6 January 2023

Whether it’s data or water, when what should be safe inside gets out through a breach, bad things happen.

The APIs that Twitter uses to collect non-public data from its users’ accounts may well be leaving that data vulnerable. In fairness, this is hardly news – a threat actor has been selling the data (including phone numbers and email addresses) of 5.4 million Twitter users, including celebrities and politicians, since July, 2022, based on a cache from December, 2021, for around $30,000. The data of an additional 1.4 million suspended users, collected through a different API, was also exposed for sale.

So the vulnerability of this data was long established. But on November 24th, all 5.4 million users’ data was dumped, for free, on hacker forums.

A credible threat.

Bleeping Computer, which downloaded the data, confirmed its provenance and significance, and reported that the information was already being used by several threat actors to steal private information via Twitter.

In addition, it is believed that an even larger data dump has been prepared, amounting to tens of millions of Twitter records – again containing both emails, phone numbers and more – using the same API vulnerability. News of the mega-dump was broken to the world by security expert Chad Loder. Ironically perhaps, he broke the news of the Twitter breach… on Twitter, which promptly suspended his account. He got the news out ultimately by posting redacted samples of the mega-breach on Twitter’s rising rival, Mastodon.

Continuing its detective work on the Twitter breach, Bleeping Computer has subsequently verified some of the sample data in Loder’s post, meaning it should be treated as a credible threat.

What could it mean?

These kinds of data breaches are typically the basis of massive phishing scams, and while it beggars a degree of belief that phishing attacks are still one of the most effective forms of cyberattack as we head into 2023, emails that seem to come from Twitter, if properly crafted, could bridge a lot of the credibility gap on which phishing scams depend.

With access to data that should be known only to individuals and the companies with which they entrust is – like Twitter, when you sign up for an account – it’s quite possible that the Twitter breach and the subsequent data-dumps will form the basis of a new wave of phishing scams which it will, to say the least, be time-consuming to check for validity. The cyberattackers might well be able to craft believable suspension or banning emails, or emails that require link-clicking for “confirmation” of details that could bypass many people’s natural and increasing cyber-skepticism.

It would possibly be piquant to observe that anyone prepared to hand over $8 for a blue verification check might well be an easy target for a phishing scam threatening or “advising” of the subsequent loss of the blue checkmark of validation.

Celebrity victims.

The original data-dump of over 5 million user records includes the details of former President Barack Obama, controversial musician Ye (the artist formerly known as Kanye West), celebrity Meghan Markle-hater Piers Morgan, Microsoft co-founder Bill Gates, and – in a move that wins “Irony of the Year” for 2022, Twitter CEO and chief provocateur, Elon Musk.

It’s worth noting these high-profile accounts, because of course phishing is the main danger of data breaches like this, but spoofing of such celebrity accounts becomes possible once you have authentic data on which to base your spoof accounts. That means fake and compromised emails from people pretending to be Twitter itself are just the first wave front of potential phishing damage from these data-dumps. With the correct credentials, emails could be sent from spoof accounts seeming to be from any of the compromised individuals.

Fake profiles.

An additional, though less insidious danger is that with the correct Twitter credentials, bad actors could set up entirely legitimate-seeming Twitter profiles in the names of any of the celebrity victims, and a simple link in their bio could lead to ransomware pages or infect phones or computers with other malware.

If there’s an ultimate irony about this breach, it’s that it happened originally before Elon Musk took over as CEO of Twitter. Since his takeover, Twitter’s profile, advertising revenue, and general membership have plummeted, with a lot of celebrities publicly and noisily announcing their departure for alternative platforms – particularly Mastodon. That means that any attempt to spoof celebrity profiles will likely have an even shorter window of activity than they otherwise would have, unless the cybercriminals can convince Twitter users that they’re the original celebrities and have “returned” to the platform.

As ever, the key to avoiding being caught by phishing scams is a deep breath taken whenever an unexpected email comes in. That allows you to check the content, the context, and the likelihood of the sender. In the event of unusual emails coming from Twitter, or from a celebrity account, think twice, report the mail to the company or representative, and under no circumstances click any links – even if the email puts pressure on you to do so.