In July, cybercriminals began selling the data of more than 5.4 million Twitter users on a hacking forum, taking advantage of a Twitter API vulnerability disclosed in December 2021. Recently, a hacker released the information for free.
Image courtesy of Pexels
According to a Twitter blog post in August, the vulnerability allowed hackers to submit email addresses or phone numbers to the API to determine which account they were associated with. While Twitter fixed the vulnerability in January, it still exposed millions of users’ private phone numbers and email addresses.
Salt Security reports that 95 percent of organizations experienced security issues in the API in the last 12 months, and 20 percent suffered a data breach due to a security vulnerability in the API. This high rate of exploitation is in line with Gartner’s prediction that API attacks will be the most frequent attack vector this year.
API vulnerabilities can provide access to an unprecedented amount of data, Avivi notes, and these vulnerabilities provide direct access to underlying data.
The most important threat posed in this breach is social engineering. Cybercriminals could use the names and addresses obtained from this breach to target users with email phishing, voice phishing and phishing scams in an attempt to trick them into handing over their personal information and login credentials.
While these scams will target end users, organizations and security teams can provide timely updates to ensure users are aware of the threats they are most likely to be exposed to and how to respond to them. It’s also a good idea for security teams to remind employees to activate two-factor authentication on their personal accounts to reduce the likelihood of unauthorized logins.
