Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.
Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.
The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public. While most of the data consisted of public information, such as Twitter IDs, names, login names, locations and verified status, it also included private information, such as phone numbers and email addresses.
Jamie Akhtar, CEO and Co-Founder of CyberSmart, has offered some tips to all users to help protect them and their data, while also showing awareness when potential phishing emails come through.
“This is a potentially colossal breach that could affect millions of people,” Akhtar said. “As the information is out there, you can be sure that cybercriminals will try to leverage it. So, if you’re a twitter user, there are a few things worth doing to protect yourself.
“First of all, change your password. Although there’s been no mention of password data being leaked, it’s sensible to do it anyway as a failsafe. Second, be on your guard. If you receive emails (claiming to be from Twitter) suggesting your account has been suspended, you’re about to lose your verified status or there are log in issues, ignore them.
“Also, check any emails you receive from ‘Twitter’ send you to a Twitter URL. Anything else is likely to be a phishing attempt. As we said, this is a serious breach and there’s likely to be a sharp uptick in Twitter-related scams. However, provided users take steps to protect themselves it doesn’t have to become a disaster.”
Meanwhile, Javvad Malik – Lead Security Awareness Advocate at KnowBe4 – said that people should always remain vigilant and that it shows just how fast criminals can pounce when they sense a weakness.
“This breach showcases how quickly criminals move whenever there is a vulnerability, particularly in a large social media site,” Malik said. “With so much information disclosed, criminals could quite easily use it to launch convincing social engineering attacks against users.
“This could be not only to target their Twitter accounts, but also via impersonating other services such as online shopping sites, banks, or even tax offices.
“Therefore, people should always remain on the lookout for any suspicious communications, especially where personal or sensitive information is requested such as passwords. When in doubt, people should contact the alleged service provider directly or log onto their account directly.“