A new report revealed that a security vulnerability has been exploited by a cybercriminal leading to a Twitter hack. The data breach has resulted in the hackers accessing details of around 5.4 million users and offering them up for sale at $300,000.
Apparently, the microblogging site acknowledged that there was a valid security issue and even paid the discoverer, “zhirinovskiy”, a $5,040 bounty.
Data Breach and Aftereffects
AppleInsider reported that the Twitter hack came about due to a vulnerability that was discovered in January 2022. Although 5.4 million is a big number, it is comparatively less than the T-mobile data breach of 2021, which exposed the personal information of 76.6 million “current, former and prospective customers.” The mobile company recently settled a class action lawsuit for $350 million as the stolen data was sold on hacker forums.
Sven Taylor of Restore Privacy commented that just as predicted by the user “zhirinovskiy”, a hacker has managed to take advantage of the security and is now selling the acquired data. He stated that the sale is live and that his team reached out to the hacker to gather additional information about the data set. Unable to mask his frustration at the debacle, Taylor added, “The seller is asking for at least $30,000 for the database, which is now available due to ‘Twitter’s incompetence,’ according to the seller.”
The seller has posted details about the Twitter hack data on Breach Forums, a data breach discussion and data leaks forum. According to Restore Privacy, the forum’s owner has verified the authenticity of the leak. Furthermore, the seller has provided a sample of the collected data on the site. It appears to include publicly available Twitter profile information alongside phone numbers and/or email addresses used for logging in. Although it does not show passwords, it contains email addresses that can be exploited to use Twitter’s “Forgot Password” feature that can be used to reset the password.
Twitter Hack 2020
On July 15, 2020, Twitter was attacked by hackers who tried to phish employee credentials. They called up customer service and tech support teams and asked them to reset their passwords. Earlier in the day, a Discord user with the handle Kirk#5270 made an enticing proposition. “I work for Twitter. I can claim any name, let me know if you’re trying to work.”
As more and more people started falling prey to the scam, Twitter decided to stop them by stopping all verified accounts from posting. As Twitter confirmed later, 130 accounts were targeted in all. Attackers successfully tweeted from 45 of the accounts, accessed the direct messages of 36, and downloaded the Twitter data of seven accounts. It was an unprecedented crisis which could have caused greater chaos if not for the timely action.
Following that attack, Twitter put more security measures in place to avoid such hacks, but seems like it has not been enough.
Data Breach Lawsuits & Settlements
Data leaks are a costly affair. In the case of T-mobile, apart from the $350 million, the court also ordered the company to spend an additional $150 million to upgrade data security.
In 2017, Equifax announced a data breach that exposed the personal information of 147 million people. In early 2022, the company agreed to pay up to $425 million to help people affected by the data breach. Also, eligible claimants will receive a free four-year membership in Experian IdentityWorks, which offers identity theft protection, and users do not have to provide payment info to enroll or cancel the service when it ends.
In 2020, Home Depot reached a $17.5 million settlement with 46 states and Washington, DC with regards to a 2014 data leak where hackers accessed payment card details belonging to 40 million customers.
Former FBI Director Robert Mueller had once warned, “Hackers for profit do not seek information for political power — they seek information for sale to the highest bidder.” Currently, the US Congress is considering the American Data Privacy and Protection Act, introduced in June 2022, which lays out the framework to protect private data of individuals.