Twitter account info on 200 million customers, together with Google CEO Sundar Pichai and Donald Trump Jr., is now accessible free of charge on a hacker discussion board, based on safety researchers.
The researchers at Privateness Affairs, a gaggle of consultants in a number of international locations, say the info comes from the identical trove of data on 400 million Twitter customers that was supplied on the market on the darkish net for US$200,000 in December.
This isn’t a brand new information leak, say the researchers, however the elimination of duplicate information from the cache put up on the market final month.
The information consists of account identify, deal with, creation date, follower depend, and e-mail handle. It additionally consists of the accounts created by numerous organizations comparable to SpaceX, CBS Media and the Nationwide Basketball Affiliation.
It doesn’t embrace passwords. Nonetheless, the researchers warn “the provision of the e-mail addresses related to the listed accounts might be used to find out the real-life identification or location of the affected account holders by way of social engineering assaults. The e-mail addresses is also used for spam or rip-off advertising campaigns and for sending private threats to particular person customers.”
The hackers declare they received this information by way of scraping info collected by Twitter from its customers. Nevertheless, the researchers admit they aren’t positive how the info was obtained. The probably technique used might have been the abuse of an software programming interface (API) vulnerability.
Knowledge scraping of Twitter isn’t new. All one has to do is a Google search of “Twitter scraping” to search out suggestions and instruments for doing it.
“The straightforward, structured format of Twitter and its numerous posting features makes it comparatively simple to navigate and scrape,” James Phoenix wrote final February for a web site known as Simply Understanding Knowledge. The Twitter API does enable customers to learn and write Twitter information, he added, noting, “Utilizing the Twitter API as an alternative of scraping Twitter information ensures compliance with Twitter’s phrases of service, however it’s not as environment friendly or versatile as utilizing scraping providers.”
Based on the Bleeping Pc information service, this new cache of knowledge is just not free, however prices a mere US$2.00.
Privateness Affairs says on the hacker discussion board the place this information haul is being marketed, a consumer must buy ‘credit’ to obtain leaks posted by discussion board customers. The discussion board poster is providing the info free of charge; the discussion board, nonetheless, expenses a credit score (~$2) to provoke a obtain.
Bleeping Pc additionally notes that, since July 22, hackers have been promoting and circulating massive information units of scraped Twitter consumer profiles containing each non-public (cellphone numbers and e-mail addresses) and public information on numerous on-line hacker boards. These information units had been created in 2021 by exploiting a Twitter API vulnerability that allowed customers to enter e-mail addresses and cellphone numbers to substantiate whether or not they had been related to a Twitter ID. The menace actors then used one other API to scrape the general public Twitter information for the ID and mixed this public information with non-public e-mail addresses/cellphone numbers to create profiles of Twitter customers.
Although Twitter fastened this flaw in January 2022, the information report says, menace actors have not too long ago begun to leak the info units they collected over a yr in the past free of charge.
