An Irish DPC probe that was opened in November will include a late December breach that may have impacted 400 million Twitter users. The compromised data was listed for sale on a dark web forum on December 23, and independent third party verification indicates that a sample posted by the hackers appears to be legitimate.
The probe centers on an API vulnerability that appears to have been exploited by multiple parties before being detected and remediated. The issue came to light in August and was acknowledged by Twitter, but an independent researcher published a report in November claiming that the impact was much larger than previously known.
Irish DPC examines Twitter vulnerability allegedly exploited by multiple parties in 2021
The more recent data breach emerged on an underground forum just before the Christmas holiday. The hacker posted a sample of 1,000 Twitter profiles, and claimed to have over 400 million more available. The private profile information included email addresses and phone numbers associated with accounts, names paired with user names, and follower information.
The hacker directly addressed Elon Musk and Twitter leadership in the post, arguing that they should buy the data back to avoid potentially hundreds of millions of dollars in General Data Protection Regulation (GDPR) fines. The hacker has reportedly asked for a payment amount equivalent to $200,000 US. A forum user named “pompompurin” was named as the “official middleman,” a name that is likely familiar to those that keep up with cybersecurity news.
The files were reportedly taken in “early 2022,” indicating that this could be the same API vulnerability that Twitter is already under investigation by the Irish DPC for. That vulnerability was introduced in a code update in 2021 and was available for much of that year, finally identified and closed by Twitter in January 2022. The hacker may have been able to exfiltrate the 400 million records just before that breach window was closed.
The API flaw allowed an attacker to access Twitter user profile information if they were able to input a phone number or email address used by that account. As with many API vulnerabilities, this could be automated to try known email addresses and numbers and attackers quickly began scraping what they could once it was identified.
Twitter acknowledged the vulnerability in August and said that they had already patched it sometime in January, but initially underplayed the amount of impacted accounts. Independent security researcher Chad Loder presented a database file in November that indicated at least 5.4 million users had this account information compromised during the data breach window, but that the actual total could be as high as tens of millions (Twitter had about 368 million active monthly users around the world as of December). Twitter has since confirmed that the database file Loder presented was likely caused by exploitation of the API vulnerability, but did not have an internal estimate of how many users were impacted.
The Irish DPC has said that the Twitter API vulnerability and subsequent handling of it may have been in violation of “one or more provisions of the GDPR.”
Accounts logins not compromised, but Twitter data breach could spark phishing attempts
A pattern to the stolen Twitter data has yet to emerge, but the hackers claims they have an assortment of files ranging from celebrities to unknowns. Among the famous Twitter users they cited as part of the data breach were Piers Morgan, Donald Trump, Mark Cuban and Alexandria Ocasio-Cortez.
Third party security firm Hudson Rock has analyzed the posted sample of data and said that it looks legitimate, and that it mostly does not overlap with the 5.4 million records previously scraped in the prior data breaches (940 of the 1,000 account profiles appear to be unique).
The hacker has not released the data yet, but is threatening to make it public if Twitter does not arrange payment. They said that they will offer copies of the data to all comers for $60,000 a pop should Twitter opt not to pay.
The Irish DPC is at the head of all Twitter data breach investigations given the company’s regional headquarters in Dublin. This has been a point of controversy as of late, as GDPR investigations headed by the Irish DPC have tended to take unusually long amounts of time and end in fine recommendations that are below what other nations involved in the process have targeted. Twitter has already been an example of this, with an investigation into a prior data breach that was opened in January 2019 not concluding until December 2020 and ending with a €450,000 fine that required an Article 65 intervention by other members to settle (the Irish DPC initially wanted a fine of €135k to €275k). This was also the first fine of a big tech company issued by the Irish DPC since the GDPR went into effect in mid-2018.