A vulnerability that was present in Twitter’s API in 2021 caused a data leak that exposed private user profile information, with at least 5.4 million of the platform’s estimated 200 to 300 million users (at the time) impacted. The information is now available for free via a dark web forum.
Multiple parties were reportedly able to scrape the API by plugging phone numbers and email addresses into it; matches to an account would return non-public contact and platform use information. Twitter reportedly closed the security hole in January 2022.
Twitter data leak exposed private email addresses, phone numbers
The contents of the data leak were first made available for sale on an underground forum in July 2022, with one of the hackers asking for $30,000 for a collection of 5.4 million Twitter user files. The API vulnerability exposed the email address and phone number associated with the account, along with the city the user resides in (if provided) and some non-public usage and engagement metrics.
It is not clear if the same party that offered the files for sale in July gave up and dumped the collection, but it was apparently posted to a forum in September and then again to another public forum in late November. A private sharing of the data leak reportedly contained an additional 1.4 million scraped profiles from Twitter users that had been suspended, which were collected using a different API. The one currently available to the public as of November reportedly does not have the suspended account information in it.
While the 5.4 million data leak has been confirmed to now be freely available by multiple media outlets, security researcher Chad Loder believes that there is a different data leak that is much larger that is still circulating privately among threat actors. He posted a sample to his Twitter and Mastodon accounts that is tied to a file containing over 1.3 million phone numbers belonging to Twitter users in France, a data set that is not present in the prior leak.
The new sample illustrates that it is unclear exactly how many people were making use of the API vulnerability before it was fixed, and the 5.4 million files may only be the tip of the iceberg. The other data leak could contain as many as 17 million files and reportedly has profiles from throughout Europe along with Israel and the United States.
API vulnerabilities create opportunities for scams, phishing campaigns
While serious concerns have been raised about Twitter’s ability to secure itself as new owner Elon Musk slashes staff, this incident unfolded entirely under prior management (which itself is under scrutiny after whistleblower Peiter “Mudge” Zatko testified to Congress about numerous issues of mismanagement this past September). The waters of Loder’s claims are also somewhat muddied by his public position as an “anti-fascist researcher” and statements against Musk; Loder was suspended from Twitter recently over claims of association with Antifa groups that promote political violence (that were swept off the platform in a mass ban wave in late November), and his regular profiling of alleged fascist figures may have put him on the wrong side of Twitter “doxxing” rules at times.
But though the issue appears to have emerged far in advance of Musk’s interest in the company, Richard Bird (Chief Security Officer from Traceable) does not feel confident in the company’s continuing response to the issue: “The timeline and the confusion reflected in Twitter’s statements to the market about its latest breach echo the widespread lack of understanding about the risks associated with APIs, as well as the inability to secure those APIs in a timely manner. Twitter created a pathway to a broken object-level authorization exploit and then believed that no one capitalized on that error. Unfortunately, that has been proven wrong. This is the problem with APIs; when you have no security program around them, bad actions don’t look any different from normal users. Twitter simply didn’t understand the difference between a use case and an abuse case within their code, and this is something that happens regularly to companies of all sizes. This incident should serve as a reminder to the world of how weak API security is within almost every corporation and organization on the planet.”
Even if the number of stolen Twitter profiles is closer to five million than tens of millions, that is still a massive amount of data that ranges across many different countries and will likely be put to use in targeted phishing and confidence schemes. Security experts advise heightened scrutiny of any emails that appear to come from Twitter, or any direct messages received on the platform from previously unknown parties. Known phishing approaches on the platform include carefully crafted fake messages regarding account suspensions, login issues and claims that verified accounts are about to lose their status if they do not take action.
The incident illustrates that API vulnerabilities continue to be alive and well, and while they may not provide an immediate point of entry into networks they can be leveraged to create breaches. Some security experts believe that API attacks are poised to grow tremendously in popularity and may even become the most common attack type in the next year. At least one study has found that nearly every company has experienced an API security issue at this point, and that in 20% of these cases it led to a data leak or breach.
Brian Johnson, Chief Security Officer at Armorblox, believes that smart attackers will attempt to exploit general security concerns about Twitter in conjunction with this data leak: “Breaches that expose email addresses and phone numbers are almost always followed up by targeted phishing and SMiShing campaigns. Given that Twitter has also been in the news a lot recently, attackers might exploit our cognitive biases like recency bias to send out fake password reset emails or SMSes to Twitter users to steal their credentials. Stolen passwords now allow them to try these passwords out laterally across other sites because many users use the same password across different providers. We recommend that users set up multi-factor authentication on all their personal and work accounts, and more specifically, watch out for suspicious emails that appear to be coming from Twitter. This includes verifying the sender email addresses, and any links that are included in the email to make sure that they are indeed related to Twitter.”