Twitter Data Breach - Cyber and Fraud Centre

This article was written by Ethical Hacker, Viktor Arato.

On the 5th of January, I woke up to an unfortunately common email from the website HaveIBeenPwned. They provide a free service which tells you if your details have been found in a data breach and are available online. The email notified me that my Twitter account details are among the 211,524,284 records leaked. My experience as a hacker enabled me not to spill my coffee on my laptop; however, quite understandably, suppressed panic began to make itself felt. Then, gathering my strength, I read through the rest of the mail, explaining what sensitive data was leaked.

I then felt relieved that passwords were not amongst the data stolen. But what happened then? The following key points summarise the event and what to do to mitigate its impacts. Rest assured, if you do not have a Twitter account, there is nothing to worry about, and your day can go on as usual. But for fellow Twitter users, there are likely a few points to be addressed, which I have detailed in the following sections.

According to databreachtoday, a vulnerable Twitter application programming interface (API) allowed the threat actors to query previously stolen email addresses used on Twitter. The response from the API then revealed the user’s name (if shared on the website), Twitter username, follower counts, and account creation dates.

It is believed a similar Twitter vulnerability, patched in August 2022, was leveraged to gather the emails. These compromised email addresses then allowed the new vulnerability to be used.

The Impact

The impact of this leak can’t be seen immediately, as it only allowed the malicious actors to gather details of Twitter’s users. However, this data can be used to conduct targeted phishing attacks or de-anonymise accounts under pseudonyms.

To find out if your account data was compromised in the Twitter hack, check through the HaveIBeenPwned website.

How can you protect yourself?

Assessing emails from a security perspective can be challenging, as phishing emails are designed to look genuine and deceive the user, who will often have other things on their mind after a long day at work! However, to mitigate this issue, there are only a few points to keep in mind:

Be wary of unexpected emails, texts or messages, especially if they require you to click on links or download attachments, as these can compromise your account or system. Familiarise yourself with the common signs of a phishing attack.
Do not provide financial or other sensitive information when requested in unsolicited messages.
Check the sender’s email address for variations, as it could be an attacker masquerading as a legitimate service.
If you are suspicious of a message, report it to the company or service it purports to be from and send it to the National Cyber Security Centre’s reporting service.
Use strong and unique passwords for all your accounts and enable two-factor authentication whenever possible.
Keep your systems and software up-to-date.

Following these tips and staying vigilant can help protect yourself from phishing attacks and other online threats.

For further advice, the Scottish Business Resilience Centre, NCSC, and CyberScotland offer a wealth of cyber security guidance for individuals and organisations, or you can get in touch with us at [email protected].

11.01.23