Check out all the on-demand sessions from the Intelligent Security Summit here.
In July this year, cybercriminals began selling the user data of more than 5.4 million Twitter users on a hacking forum after exploiting an API vulnerability disclosed in December 2021.
Recently, a hacker released this information for free, just as other researchers reported a breach affecting millions of accounts across the EU and U.S.
According to a blog post from Twitter in August, the exploit enabled hackers to submit email addresses or phone numbers to the API to identify which account they were linked to.
While Twitter fixed the vulnerability in January this year, it still exposed millions of users’ private phone numbers and email addresses, and highlights that the impact of exposed APIs can be devastating for modern organizations.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
The true impact of API attacks
The Twitter breach comes amid a wave of API attacks, with Salt Security reporting that 95% of organizations experienced security problems in production APIs over the past 12 months, and 20% suffered a data breach as a result of security gaps in APIs.
One of the unfortunate realities of API attacks is that vulnerabilities in these systems provide access to unprecedented amounts of data, in this case, the records of 5.4 million users or more.
“Because APIs are meant to be used by systems to communicate with each other and exchange massive amounts of data — these interfaces represent an alluring target for malicious actors to abuse,” said Avishai Avivi, SafeBreach CISO.
Avivi notes that these vulnerabilities provide direct access to underlying data.
“While traditional software vulnerabilities and API vulnerabilities share some common characteristics, they are different at their core. APIs, to an extent, trust the system that is trying to connect to them,” Avivi said.
This trust is problematic because once an attacker gains access to an API, they have direct access to an organization’s underlying databases, and all the information contained within them.
What’s the threat now? Social engineering
The most significant threat emerging from this breach is social engineering. Using the names and addresses harvested from this breach, it is possible that cybercriminals will target users with email phishing, voice phishing, and smishing scams to try and trick users into handing over personal information and login credentials.
“With so much information disclosed, criminals could quite easily use it to launch convincing social engineering attacks against users. This could be not only to target their Twitter accounts, but also via impersonating other services such as online shopping sites, banks or even tax offices,” said Javvad Malik, security awareness advocate with KnowBe4.
While these scams will target end users, organizations and security teams can provide timely updates to ensure that users are aware of the threats they’re most likely to counter and how to address them.
“People should always remain on the lookout for any suspicious communications, especially where personal or sensitive information is requested such as passwords,” Malik said. “When in doubt, people should contact the alleged service provider directly or log onto their account directly.”
It’s also a good idea for security teams to remind employees to activate two-factor authentication on their personal accounts to reduce the likelihood of unauthorized logins.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.