Users will likely ignore their data being leaked. Meanwhile, data security watchdogs might not be so kind and slap Twitter with a hefty fine.
Last week threat actors posted an ad on a popular hacking forum, claiming they were selling the data of over 400 million Twitter users. The post’s author said the dataset included Twitter handles, usernames, email addresses, phone numbers, follower count, and other information.
According to Alex Hamerstone, advisory solutions director at cybersecurity firm TrustedSec, large organizations that handle the data of millions of users are subject to laws and regulations and will likely face responsibility for their actions or inaction.
While threat actors could use the data to carry out phishing attacks, impersonation, and fraud, users will hardly be shocked their personal data was leaked. Whatsapp, Facebook, Linkedin, and many others previously leaked millions of users’ data.
“There is always the issue of lowered user confidence or trust, but I think a lot of consumers have become fairly used to their data being leaked from various places.”Hamerstone told Cybernews.
“There is always the issue of lowered user confidence or trust, but I think a lot of consumers have become fairly used to their data being leaked from various places,” Hamerstone told Cybernews.
Only a minority of Twitter users affected by the leak would be more concerned, Hamerstone said. For example, leaked username and email combinations might reveal the identities of account holders operating under a pseudonym or anonymously.
The Cybernews team has found out that threat actors behind the attack aim to sell the dataset for at least $50k. Other reports say that the dataset could be sold for around $200k for an individual buyer.
Mere hours before threat actors announced they were selling Twitter user data, Ireland’s Data Protection Commission launched a probe into Twitter over leaking data of 5.4m users. Adding hundreds of millions of victims to the tally might not bode well for the investigation into Twitter.
“Suffice it to say a large breach could possibly be very expensive with fines and other costs,” Hamerstone explained.
European authorities, operating under the European Union’s General Data Protection Regulation (GDPR), have been strict about how US-based tech giants handle the data of millions of Europeans.
For example, the Irish authorities fined Meta, Facebook’s parent company, €265m ($277m) over a leak that exposed hundreds of millions of user records. In Facebook’s case, threat actors were able to abuse system flaws to harvest user information at scale, a practice known as ‘scraping.’
Threat actors likely obtained the Twitter data using the same practice. According to Alon Gal, Co-Founder and CTO of cybersecurity firm Hudson Rock, the Twitter data might have been obtained from an application programming interface (API) vulnerability.
“The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email/phone and retrieve a Twitter profile, “Gal said in a post on Linkedin.
The bug Gal was writing about is the same that piqued the interest of Irish regulators over Twitter losing the data of 5.4m users. The flaw allowed them to input phone numbers and email addresses into Twitter API and receive a Twitter user ID, eventually allowing them to create a dataset consisting of both public and private data.
Threat actors behind the Twitter breach directly addressed the company’s CEO, Elon Musk, offering to sell him the stolen data to avoid paying millions of dollars in fines.
However, as cybersecurity expert Troy Hunt pointed out, Twitter will never agree to pay, leaving affected users in a ‘wait and see’ situation until more details about the leak are available.
While it is unclear if the leaked dataset contains up-to-date information, users are advised to stay vigilant. According to Hamerstone, threat actors could employ the dataset for targeted phishing campaigns and scams.
“A fake email or text purporting to be from Twitter that includes your username and phone number will be more believable to most people than one without that information,” Hamerstone said.
More from Cybernews:
Subscribe to our newsletter