Was Twitter Hacked?
Twitter said on Wednesday that its investigation found no “evidence” that user data sold online was obtained by exploiting security flaws in its systems.
“Based on the information and information analyzed to investigate the matter, there is no evidence that data sold online was obtained by exploiting a vulnerability in the Twitter system,” the company said in a statement. declare. “The data is likely a collection of data that is already publicly available online through various sources.”
The revelation follows multiple reports that Twitter data belonging to millions of users – 5.4 million in November 2022, 400 million in December 2022 and 200 million last week – has been for sale on criminal forums. online crime.
The social media giant added that the breach “cannot be related to a previously reported incident, nor to any new incidents”, adding that no passwords were exposed. The two datasets released in December and January will be identical, with the second having removed duplicate entries. Twitter in August 2022 acknowledged that a code change in June 2021 caused an API bug that would allow users to link a Twitter account to a specific email address or phone number. The vulnerability was then exploited to recover information from 5.48 million user records.
Ryushi, the threat actor who published a dump of the data on the Breach Forum portal in December 2022, claims that the information was aggregated using the now patched vulnerability. It is currently unknown how the dataset was obtained and whether it was cumulative before the vulnerability was patched in January 2022.
The Irish Data Protection Commission (DPC) announced last month that it was investigating a data leak involving 5.4 million Twitter users worldwide in November, which Twitter said was ” similar to the data on display in August 2022″.
The Elon Musk-owned company also said it was contacting the relevant data protection authorities to clarify “alleged incidents”, and warned users to enable two-factor authentication. (2FA) and watch out for potential phishing attempts.
Reference:
Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System
Jan 12, 2023 Ravie Lakshmanan
https://thehackernews.com/2023/01/twitter-denies-hacking-claims-assures.html
Stupid security 2022 – this year’s infosec fails
As 2022 draws to a close, The Daily Swig looks back at some of the year’s most notable web security wins and critical IT security flaws.
Tomorrow we’ll post a few examples of the year’s cybersecurity successes, but today we start with interesting vulnerabilities, security disasters, and a “must do better” dashboard. .
Skip Reddit NSFW
Reddit’s “Not Safe for Work” restrictions could have been bypassed through a cross-site request forgery (CSRF) vulnerability that the social media platform fixed in February.
The security flaw allowed attackers to trick users into turning on the “I’m over eighteen” option and expressing a desire to view adult content.
This medium severity incident earned the security researcher who discovered the vulnerability a $500 bounty. Recommend QWAckers
Mozilla, The Electronic Frontier Foundation and dozens of IT experts this year begged European lawmakers to scrap a plan to force web browsers to recognize the validity of disputed web certificates generated by the bloc. go out.
A proposed change to the eIDAS – or Electronic Identity, Authentication and Trust Service – regulation would require browsers to accept a Qualified Website Validation Certificate (QWAC).
Reference:
https://portswigger.net/daily-swig/stupid-security-2022-this-years-infosec-fails
Adam Bannister 29 December 2022
What is ICSS upto?
CyberSec101: 
Leave a comment