Twitter Data

(Photo by Samantha Laurey / AFP)

Twitter data breaches expose weaknesses Elon Musk needs to solve quickly

Getting your Trinity Audio player ready...

Since Twitter was taken over by Elon Musk, there have been multiple reports of data breaches affecting the social media company. The most recent Twitter data breach involves records of some 234 million accounts and email addresses that were used to register Twitter accounts. The data has been posted to an online hacking forum, enabling the possibility of even more troubles as the emails can be linked to real-world identities.

Yet, the company continues to reduce its workforce, raising concerns among some on how it plans to ensure its users that their data is secure, and that the app is not vulnerable to any cyber threats.  

According to a report by The Washington Post, the data was compiled in late 2021 through a flaw in Twitter’s system. The flaw allowed outsiders who already had an email address or phone number to find any account that had shared that information with Twitter.

Twitter learned of the vulnerability in January 2022 through a bug bounty program. In July 2021, hackers were also reported selling about 5.4 million Twitter account handles and associated emails and phone numbers.


In a LinkedIn post, Alon Gal, co-founder and CTO of HudsonRock, who also discovered the Twitter data, stated the “database is real and has an impact on almost every Twitter user.” Gal also wrote that there is more than one threat action selling the data, with the database likely circulating heavily.


“It is however important to note that the patched vulnerability that enabled this leak did not allow users to be discovered through their phone numbers and I suspect that threat actors took advantage of this fact, and a database with phone numbers of an unknown amount of Twiter users, likely exists,” added Gal.


Gal also believes that the original offering by the threat actor “Ryushi” contains duplications and was likely enriched later with phone numbers to some extent. He added that this is corroborated by two different actors, both of which confirm that the database contains 235,000,000 records


Meanwhile, Sammy Migues, Principal Scientist at Synopsys Software Integrity Group pointed out that API security is the real story. For Migues, as cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices.


“Certainly, this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures. It’s also growing faster than the time there is available to do threat modelling and skilled security testing. In this case, the lapse in API security resulted in email addresses tied to Twitter accounts and it seems the marketplace has spoken on the value of that data–next to nothing,” said Migues.


At the same time, Jamie Boote, Associate Principal Consultant at Synopsys Software Integrity Group also highlighted that in 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources and also leak some other semi-public info like the Twitter handle linked with that email address. Boote said several groups then used leaked email dumps as seed material to start farming for handles that they could then gather other information such as follower counts, profile creation date, and other information available on a Twitter profile.


“This issue was then fixed last year. After all that, Musk bought Twitter, and dumps of these started showing up for sale as hackers were looking to get paid for their efforts. Most recently, it appears as though someone collected a bunch of these—plus combined with some new accounts—and tried to get Musk to pay up for them.


This is a common example of how an unsecured API that developers design to “just work” can remain unsecured because when it comes to security, what is out-of-sight is often out-of-mind;  humans are terrible at securing what they can’t see. As always, malicious actors have your email address. To be safe, users should change their Twitter password and make sure it’s not reused for other sites. And from now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams,” stated Boote.


For now, Elon Musk has got his hands tied trying to figure out not only who should run the social media company but also how he can solve the data breaches, especially since Twitter’s workforce continues to be reduced since the takeover.