Dec 28 2022

400 Million Twitter Users’ Scraped Info Goes on Sale!

Category: Social networkDISC @ 10:51 am

The sample data seen by Hackread.com shows that the sold information also includes records on top celebrities and political figures, such as Democratic Rep. Alexandria Ocasio-Cortez and Bollywood’s Salman Khan.

On December 23, 2022, a threat actor going by the handle “Ryushi” claimed to sell more than 400 million Twitter users’ personal details on BreachedForums, a cybercrime and hacking forum that surfaced as an alternative to the now-seized Raidforums.

As seen by Hackread.com, the sample data attached to the post contains private email addresses, usernames, follower counts, creation dates, and, in certain cases, the user’s phone numbers.

400 Million Twitter Users' Scraped Info Goes on Sale!
Post from the threat actor (Image credit: Waqas – Hackread.com)

The sample data also contains a variety of well-known user accounts including New York Democratic Rep. Alexandria Ocasio Cortez, Ethereum cryptocurrency founder Buterin, Indian actor Salman Khan and cybersecurity reporter Brian Krebs. 

It is worth mentioning that the latest data leak came just one month after a hacker leaked the contact and personal details of over 5.3 million Twitter users online. Both the earlier and latest incidents are now being investigated by Irish authorities.

The threat actor stated in the post that the data had been “scraped via a vulnerability” but did not specify any further details.

Further, they openly advised the CEO of the social media giant, Elon Musk, that he should buy this data directly from the hacker instead of “paying $276 million USD in GDPR breach fines like Facebook did” but does not specify a price at which the data is being sold.

400 Million Twitter Users' Scraped Info Goes on Sale!

Offering to conduct the “deal” through a middleman, the threat actor states, “After that, I will remove this thread and will not sell this info again. And data won’t be sold to anyone else, which will stop a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things that will make your users lose trust in you as a company and thus stunt the current growth and hype.”

Researchers who have seen the sample data believe that this alleged data leak is the result of an API flaw which allowed the threat actor to search any email addresses or phone numbers and return a Twitter profile.

This attack followed only months after Twitter entered into a consent order with the US Federal Trade Commission binding it to maintain a privacy and information security program for the next two decades.

The agreement ended a federal investigation into Twitter’s use of phone numbers and email addresses for advertising purposes when they were collected to be used for multi-factor authentication. Twitter also paid a $150 million civil penalty.

Therefore, if this data breach is verified, the impact on Twitter would be drastic both financially and socially. At the time of writing, the data was still up for grabs.

Tags: Twitter, Twitter CISO, Twitter Hack


Jul 26 2022

Twitter hacker touting the data of over 5.4 million users, including celebrities and companies, for $30,000

Category: Information Security,Social networkDISC @ 3:30 pm
A Twitter logo is seen on a computer screen

Over 5.4 million Twitter users have reportedly been targeted in a major breach of personal data following revelations earlier this year that the site had a serious security flaw. 

The security flaw came to light in January, when a user on HackerOne named “zhirinovskiy” pointed out that Twitter was vulnerable to hackers seeking to use information for malicious purposes.

At the time, Zhirinovskiy detailed exactly how to exploit the bug and described it as a “serious threat” even in the hands of those with only a “basic knowledge” of scripting and coding. 

Twitter acknowledged the problem five days later and appeared to have fixed the problem a week after that, when it rewarded Zhirinovskiy with a $5,040 bounty for bringing the vulnerability to its attention. 

A seller with the username ‘devil’ claims that “Celebrities, to Companies, randoms, OGs, etc” are included in the data set and is asking for at least $30,000, RestorePrivacy says. 

A spokesperson from Twitter told Fortune: “We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability.”

The spokesperson added that Twitter was “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”

https://fortune.com/2022/07/26/twitter-user-data-breach-hacker-lists-database-of-5-million-users-for-sale/

Tags: Twitter Hack


Jul 16 2020

You CAN Stop Stupid

Category: social engineeringDISC @ 9:49 am

You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions: Winkler Ira, Celaya Brown, Dr. Tracy

You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions [Winkler Ira, Celaya Brown, Dr. Tracy] You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions. The Twitter Hack and their “explanation” definitely showed why Ira’s next book with Tracy Celaya Brown is so critical. The fact an admin was “Social Engineered” should be expected with the results controlled.

Source: You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions: Winkler, Ira, Celaya Brown, Dr. Tracy



Twitter: High-profile hacks were part of a ‘Coordinated Social Engineering Attack’
httpv://www.youtube.com/watch?v=Kp86OAYDw0Y



Explore more on “Social Engineering”

Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Tags: social engineering, Twitter Hack