Twitter API security breach exposes 5.4 million users' data

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

In July this year, cybercriminals began selling the user data of more than 5.4 million Twitter users on a hacking forum after exploiting an API vulnerability disclosed in December 2021.

Recently, a hacker released this information for free, just as other researchers reported a breach affecting millions of accounts across the EU and U.S.

According to a blog post from Twitter in August, the exploit enabled hackers to submit email addresses or phone numbers to the API to identify which account they were linked to.

While Twitter fixed the vulnerability in January this year, it still exposed millions of users’ private phone numbers and email addresses, and highlights that the impact of exposed APIs can be devastating for modern organizations.

Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.

The Twitter breach comes amid a wave of API attacks, with Salt Security reporting that 95% of organizations experienced security problems in production APIs over the past 12 months, and 20% suffered a data breach as a result of security gaps in APIs.

This high rate of exploitation fits with Gartner's prediction that API attacks would become the most-frequent attack vector this year.

One of the unfortunate realities of API attacks is that vulnerabilities in these systems provide access to unprecedented amounts of data, in this case, the records of 5.4 million users or more.

"Because APIs are meant to be used by systems to communicate with each other and exchange massive amounts of data — these interfaces represent an alluring target for malicious actors to abuse," said Avishai Avivi, SafeBreach CISO.

Avivi notes that these vulnerabilities provide direct access to underlying data.

"While traditional software vulnerabilities and API vulnerabilities share some common characteristics, they are different at their core. APIs, to an extent, trust the system that is trying to connect to them," Avivi said.

This trust is problematic because once an attacker gains access to an API, they have direct access to an organization's underlying databases, and all the information contained within them.

The most significant threat emerging from this breach is social engineering. Using the names and addresses harvested from this breach, it is possible that cybercriminals will target users with email phishing, voice phishing, and smishing scams to try and trick users into handing over personal information and login credentials.

"With so much information disclosed, criminals could quite easily use it to launch convincing social engineering attacks against users. This could be not only to target their Twitter accounts, but also via impersonating other services such as online shopping sites, banks or even tax offices," said Javvad Malik, security awareness advocate with KnowBe4.

While these scams will target end users, organizations and security teams can provide timely updates to ensure that users are aware of the threats they’re most likely to counter and how to address them.

"People should always remain on the lookout for any suspicious communications, especially where personal or sensitive information is requested such as passwords," Malik said. "When in doubt, people should contact the alleged service provider directly or log onto their account directly."

It's also a good idea for security teams to remind employees to activate two-factor authentication on their personal accounts to reduce the likelihood of unauthorized logins.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.