A data dump of Twitter user details on an underground forum appears to stem from an API endpoint compromise and large-scale data scraping.

twitter bird logo against a cracked blue background
Source: Peter Tsai via Alamy Stock Photo

Data from 200 million Twitter users has been gathered and put up for free on an underground hacking forum, researchers are warning.

Public account details, including account name, handle, creation date, and follower count are all part of the 63GB worth of data uploaded to the Dark Web on Jan. 4, according to an investigation from Privacy Affairs. The cybercriminal responsible said the materials were collected via data scraping, which is a process of using automated scripts to lift public data from social media sites. However, the database also contains email addresses, the firm found — which aren't part of users' public profiles.

"The availability of the email addresses associated with the listed accounts could be used to determine the real-life identity or location of the affected account holders through social engineering attacks," said Miklos Zoltan, founder at Privacy Affairs, in a blog post. "The email addresses could also be used for spam or scam marketing campaigns and for sending personal threats to individual users."

While it's unclear how the email addresses were accessed, Zoltan noted that the "most likely method used could have been the abuse of an application programming interface (API) vulnerability." After all, at least one past Twitter data leak stemmed from the abuse of a Twitter API, resulting in the linking of phone numbers with Twitter handles. And in August, thousands of mobile apps were found to be leaking Twitter API keys.

Other researchers concur with Zoltan's assessment.

"API security is the real story here," Sammy Migues, principal scientist at Synopsys, said in an emailed statement. "As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices. Certainly, this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures."

Twitter has so far been mum on the developments, and did not immediately respond to a request for comment from Dark Reading.

Public Profile Data Scraping Represents Real Risk

The 200 million Twitter records appear to be the same data set that appeared for sale for $200,000 in underground markets in December, Privacy Affairs added. At the time, there were 400 million profiles included, but the firm said this latest listing de-duped the database, resulting in a leaner data set with no repeats — and it's now being offered for free to anyone who wants to download it.

Aside from the cyber-danger involved in leaking emails associated with Twitter handles, even the publicly available data could be used for highly targeted attacks.

Specifically, it can be cross-referenced with other data that a user may have shared across platforms to create a 360-degree view of a person — their interests, their likes, the social circles they run in, and even corporate activity (remember, Twitter handles are often used on corporate sites in lieu of direct contact info — and can thus act as metatags that attackers can use to track the user's web presence, far outside of Twitter itself).

In this case, since so much data is collected in volume in a handy database, this process, and the attacks it can engender, can now be automated. This can be a real problem not just for social media users but the platforms themselves — both Facebook and LinkedIn have faced fines and general hot water for past data-scraping incidents. And, who can forget the former's Cambridge Analytica scandal, in which a mind-boggling number of public user profiles and posts were scraped and used to target political messaging to site users.

As far as how to protect oneself from any follow-on cyberattacks (or influence targeting), best practices still apply, according to Jamie Boote, associate software security consultant at Synopsys.

"As always, malicious actors have your email address," he said, via email. "To be safe, users should change their Twitter password and make sure it's not reused for other sites. And from now on, it's probably best to just delete any emails that look like they're from Twitter to avoid phishing scams."

There's also a cautionary tale to be had in terms of being careful with what one publicly shares on social media, to avoid making it easy for cyberattackers to build rich-data profiles.

And Privacy Affairs' Zoltan offered another lesson to be learned: "While not a very popular method at the moment, it would also be useful to use 'burner' email addresses or separate email addresses for online accounts while forwarding emails to a master address. This way, even if the email address associated with a Twitter or any other account is leaked, it can’t be associated with the end-user’s identity or other online services."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights