A Los Angeles-based cyber security expert has warned of a data breach at social media site Twitter that has allegedly affected “millions” across the US and EU.
Chad Loder, who is the founder of cyber security awareness company Habitu8, took to the social media site on November 23 to warn users of the alleged data breach that Loder claims occurred “no earlier than 2021” and “has not been reported before”.
In a series of tweets, Loder claimed they had seen the data stolen in the alleged breach and spoken to potential victims of the breach, who had confirmed that the breached data was “accurate”.
Loder said that any Twitter account with the “let others find you by phone number” setting enabled in its “discoverability” settings is affected, with “all accounts for the entire country code of France” listed, with their full mobile numbers.
The breach also allegedly includes the “full phone number spaces for multiple country codes in the EU” and “some area code[s] in the US”, with the data set including personal information for “verified accounts, celebrities, prominent politicians and government agencies”.
Twitter previously confirmed a data breach that affected millions of user accounts in July of this year, however, Loder stated that this “cannot” be the same breach unless the company “lied” about the July breach. According to Loder, the data from this breach is “not the same data” as that seen in the July breach, as it is in a “completely different format” and has “different affected accounts”.
Loder believes that the breach occurred due to malicious actors exploiting the same vulnerability as the hack reported in July.
Loder’s Twitter account was suspended at some point in the last 24 hours as, according to Twitter, it “violate[d] the Twitter rules”.
On July 27 of this year, a hacker who went by the alias ‘devil’ claimed in a post in hacking forum Breach Forum that they were selling data stolen from more than 5.4 million Twitter accounts.
According to devil, the data stolen included email addresses and phone numbers from “celebrities, companies, randoms, OGs, etc”. ‘OGs’ refers to Twitter handles that are either short, comprising of one or two letters, or a desirable word, like a first name. Devil said they would not accept offers lower than US$30,000 for the data set.
The owner of Breach Forums first verified that the leak was authentic, stating that the data breach took place as devil was able to exploit a vulnerability on the social media site first flagged in January 2022.
A report on the vulnerability was published to bug bounty and vulnerability coordination platform HackerOne on January 1, 2022, by a member called zhirinovsky. In the report, they described the effects of the vulnerability, saying:
“The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.”
This means the vulnerability could, and later did, allow “any attacker with a basic knowledge of scripting/coding [to] enumerate a big chunk of the Twitter user base” and collect user data into a database that linked Twitter usernames to their respective email addresses or phone numbers. This could then be sold to malicious parties who could use the data for advertising purposes, or to maliciously target specific Twitter accounts, for example celebrities.
Twitter itself verified the vulnerability on January 6 and subsequently paid zhirinovsky US$5,040 to patch the issue on January 13, with zhirinovsky confirming that the issue had been resolved that day.
On August 5, Twitter posted a statement about the breach, confirming that it had happened and that it was due to the vulnerability flagged in January. The company said it would “directly notify the account users [it] could confirm were affected by this issue”.
Twitter said the data breach was “unfortunate” and encouraged users to enable two-factor authentication to protect their accounts from unauthorized logins.
Join the global cyber security online community
With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
Join Now
The cyber attack saw confidential information held by the law enforcement office compromised
The cyber attack has reportedly affected NATOs response to the recent earthquakes affecting Syria an…
Two separate lawsuits have been filed against the company for allegedly failing to protect customer…
This marks the second social engineering attack the company has suffered in less than a year
The lawsuit alleges that LastPass stored crucial information that allowed hackers access to victims’…
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC
Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.
Leave a Reply