Twitter Leaks Reveal a Social Media Cyber-Security Threat: The Case of Cyabra and BleepingComputer
Verified Twitter users caught up in the apparent leak, or users with particularly large followings, will be particularly valuable targets as a result of the leak, security experts warned, as those account holders may be especially influential celebrities or susceptible to extortion.
The spokesman for Cyabra, a social media analysis firm, said that bad actors have won the lottery. Private data such as emails, handles, and creation date can be used to build a more sophisticated hacking,Phishing and disinformation campaign.
According to reports from security researchers and media outlets including BleepingComputer, the credentials were compiled from a number of earlier Twitter breaches dating back to 2021. Although the database does not contain passwords, it still represents a security threat to those affected.
Estimates of the exact number of users affected by the breach vary, in part because of the tendency for such large-scale data dumps to include duplicate records. Screenshots of the database shared by BleepingComputer show it contains a number of text files listing email addresses and linked Twitter usernames, as well as users’ real names (if they shared them with the site), their follower counts, and account creation dates. BleepingComputer said it had “confirmed the validity of many of the email addresses listed in the leak” and that the database was being sold on one hacking forum for as little as $2.
Hunt did not immediately respond to a question from CNN asking whether the records would be added to his website, haveibeenpwned.com, which allows users to search hacked records to determine if they have been affected. CNN hasn’t verified the records’ authenticity.
In the summer of 2015, Peiter Mudge Zatko filed a report to the US government about security vulnerabilities in the operations of the company. Zatko claimed that Twitter’s shortcomings on security reflected a breach of Twitter’s binding commitments to the Federal Trade Commission, a serious offense. (Twitter broadly and repeatedly pushed back at Zatko’s allegations.)
How do I Know I’m Getting Fooled: How I Wanna Be? What Have I Learned about the BleepingComputer and Twitter Leaks?
To protect themselves from phishing attempts, internet users should use unique passwords for each online service and keep track of them using a digital password manager, security researchers say. When opening emails or links they should be wary of what they are getting and enable multi-factorauthentication for each of their accounts.
According to the cybersecurity news outlet BleepingComputer, which did claim to test the data, the latest dump appears similar to a leaked dataset advertised on hacking forums in November containing an alleged 400 million records, but slimmed down to eliminate some duplicate records. There is no comment from Twitter on that leak.
In December, Twitter’s main European privacy regulator, the Irish Data Protection Commission, said it is investigating the July 2022 leak as a possible violation of Europe’s signature privacy law, known as GDPR.
The company improved its cyber posture by signing two consent orders with the FTC. FTC orders can lead to sanctions against individual executives.
“This is one of the most significant leaks I’ve seen,” Alon Gal, co-founder of Israeli cybersecurity firm Hudson Rock, said in a post describing the hack on LinkedIn. It will lead to a lot of hacking.
Anyone can go to the Have I been Pwned website and enter their email address to find out if it is in the database.