Twitter experienced slight degradation of service today from an old 3rd party tool used to block accounts that had no rate limit (sigh). Should be fixed now.
— Elon Musk (@elonmusk) November 28, 2022
Initially, the issue was corrected through a bug bounty program in December 2021, but hackers had already begun selling users’ data in July 2022.
The full scope of the security compromise was revealed over the weekend by a post from BleepingComputer, and Twitter confirmed that the API bug wasn’t fixed until January 2022.
In a privacy breach statement, Twitter stated that it “deeply regretted” allowing the incident to occur and added that it would immediately notify all affected users.
Security experts cautioned that it is yet unclear to what extent hackers may be able to use the data.
“This is a potentially colossal breach that could affect millions of people,” said Jamie Akhtar, CEO of CyberSmart. “As the information is out there, you can be sure that cybercriminals will try to leverage it.”
In the coming weeks, users will be warned to avoid suspicious emails or SMS messages claiming to be from Twitter.
“Although data scraped from a website may not seem like a normal data breach, threat actors can do a lot of damage when they couple it together with private data such as phone numbers and email addresses,” said Jake Moore, a cyber security advisor at ESET.
“Suddenly, the information collected can become far more significant as cybercriminals are then able to attempt a variety of phishing attacks on accounts and gain further illicit access to multiple accounts. [These types of] vulnerabilities can cause significant damage, but they are usually patched quickly, as was the case with this one. However, nefarious actors, unfortunately, abused this exploit whilst available.”
Discover more from Baller Alert
Subscribe to get the latest posts sent to your email.
