Categories: Tech

Twitter data breach shows APIs are a goldmine for PII and social engineering

Check out all the on-demand sessions from the Intelligent Security Summit here.


A Twitter API vulnerability shipped in June 2021 (and later patched) has come back to haunt the organization. In December, one hacker claimed to have the personal data of 400 million users for sale on the dark web, and just yesterday, attackers released the account details and email addresses of 235 million users for free.

Information exposed as part of the breach include user’s account names, handles, creation date, follower count and email addresses. When put together, threat actors can create social engineering campaigns to trick users into handing over their personal data.

While the information exposed was limited to users’ publicly available information, the high-volume of accounts exposed in a single location provides threat actors with a goldmine of information they can use to orchestrate highly targeted social engineering attacks.

Social media giants offer cybercriminals a gold mine of information they can use to conduct social engineering scams.

Event

Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

With just a name, email address and contextual information taken from a user’s public profile, a hacker can conduct reconnaissance on a target and develop purpose-built scams and phishing campaigns to trick them into handing over personal information.

“This leak essentially doxxes the personal email addresses of high-profile users (but also of regular users), which can be used for spam harassment and even attempts to hack those accounts,” said Miklos Zoltan, Privacy Affairs security researcher. “High-profit users may get inundated with spam and phishing attempts on a mass scale.”

For this reason, Zoltan recommends that users create different passwords for each site they use to reduce the risk of account takeoverattempts.

Insecure APIs provide cybercriminals with a direct line to access user’s personally identifiable information (PII), usernames and passwords, which are captured when a client makes a connection to a third-party service’s API. Thus, API attacks provide attackers with a window to harvest personal data for scams en masse.

This happened just a month ago when a threat actor successfully applied to the FBI’s InfraGuard intelligence sharing service, and used an API vulnerability to collect the data of 80,000 executives across the private sector and put it up for sale on the dark web.

Information collected during the incident included data such as usernames, email addresses, Social Security numbers and dates of birth — all highly valuable information for developing social engineering scams and spear phishing attacks.

Unfortunately, it appears that this trend of API exploitation will only get worse, with Gartner predicting that this year, API abuse will become the most frequent attack vector.

Beyond APIs that ‘just work’

Organizations too are increasingly concerned around API securitywith 94% of technology decision-makers reporting they are only moderately confident in their organization’s ability to materially reduce API data security issues.

From now on, enterprises that leverage APIs need to be much more proactive about baking security into their products, while users need to take extra caution around potentially malicious emails.

“This is a common example of how an unsecured API that developers design to ‘just work’ can remain unsecured, because when it comes to security, what is out-of-sight is often out-of-mind,” said Jamie Boote, associate software security consultant at Synopsys Software Integrity Group. “From now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams.”

Protecting APIs and PII

One of the core challenges around addressing API breaches is the fact that modern enterprises need to discover and secure thousands of APIs.

“Protecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use,” said Chris Bowen, CISO at ClearDATA. “It’s a lot for organizations to manage, but the risk is too great not to.”

There’s also a slim margin for error, as a single vulnerability can put user data directly at risk of exfiltration.

“In healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport and exchange security, and trusted connectivity,” said Bowen.

It’s also important that security teams not make the mistake of relying solely on simple authentication options such as usernames and passwords to protect their APIs.

“In today’s environment, basic usernames and passwords are no longer enough,” said Will Au, senior director for DevOps, operations and site reliability at jitter bit. “It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth.”

Other steps like deploying a Web Application Firewall (WAF), and monitoring API traffic in real-time can help to detect malicious activity and reduce the chance of compromise.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Read More

Greg Aftayev

Greg Aftayev is a Journalist at Flaunt Weekly Covering Tech News.

Share
Published by
Greg Aftayev

Recent Posts

Nearly half of young Norwegians are fine with piracy to save money, survey shows

Flaunt Weeekly Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice…

3 hours ago

I Finally Found a Good Retro-Style Music Visualizer App

Flaunt Weeekly Credit: Justin Pot Every once in a while a seemingly pointless computing question…

5 hours ago

YouTube Music Is Already Rolling Out Its Version of Spotify Wrapped

Flaunt Weeekly It's a bit early, but YouTube Music is ready to recap. Credit: 6…

5 hours ago

Snl24 | Inside Masechaba Ndlovu’s wedding – ‘The happiest day of my life’

Flaunt Weeekly Radio and TV host Masechaba Ndlovu and music artist Ntethe Mposwa on their…

8 hours ago

Loatinover Pounds’ “Pray 4 Pitori” Hits 5 Million Streams & Stays Strong On Apple Music Charts

Flaunt Weeekly Loatinover Pounds’ “Pray 4 Pitori” Hits 5 Million Streams & Stays Strong On…

8 hours ago

Okmalumkoolkat Drops New Single “uRespondile “Ahead Of Album Release “Itheku Ethekwini”

Flaunt Weeekly Okmalumkoolkat Drops New Single “uRespondile “Ahead Of Album Release “Itheku Ethekwini.” Trailblazing South…

8 hours ago