Security News

Updated Former Twitter security chief and whistleblower Peiter "Mudge" Zatko has landed his first official role since he left the company, a part-time job as "Executive in residence" with cybersecurity firm Rapid7. Zatko has a reputation for both bluntness and skill that only solidified after he was fired from Twitter.

Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private and public data on various online hacker forums and cybercrime marketplaces. These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID. The threat actors then used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users.

I'm selling data of +400 million unique Twitter users that was scraped via a vulnerability, this data is completely private. Although the crooks behind this data sell-off wrote that the information "Includes emails and phone numbers", it seems likely that's the only truly private data in the dump, given that it seems to have been acquired back in 2021, using a vulnerability that Twitter says it fixed back in January 2022.

A miscreant this Christmas weekend said they are willing to sell public and private info on more than 400 million Twitter accounts. The records were apparently scraped in 2021 via a security flaw fixed earlier this year in a backend API that the Twitter Android app used.

A threat actor claims to be selling public and private data of 400 million Twitter users scraped in 2021 using a now-fixed API vulnerability. The alleged data dump is being sold by a threat actor named 'Ryushi' on the Breached hacking forum, a site commonly used to sell user data stolen in data breaches.

"The DPC corresponded with Twitter International Unlimited Company in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance," the Irish privacy regulator said on Friday. Twitter's lead EU watchdog wants to determine if Twitter has complied with its obligation as a data controller regarding the processing of users' data and if it infringed any General Data Protection Regulation or Data Protection Act 2018 provisions.

At the time, Abouammo was facing up to 20 years behind bars for, while working for Twitter in the US, leaking to Saudi Arabia sensitive information about 6,000 Twitter accounts that could be used to identify and locate users who were of interest to the Saudi royals. Instead, a judge this week sentenced Abouammo to 42 months in federal prison followed by three years of supervised release.

A former Twitter employee who was found guilty of spying on behalf of Saudi Arabia by sharing data pertaining to specific individuals has been sentenced to three-and-a-half years in prison. Ahmad Abouammo, 45, was convicted earlier this August on various criminal counts, including money laundering, fraud, falsifying records, and being an illegal agent of a foreign government.

Twitter confirmed today that the recent leak of millions of members' profiles, including private phone numbers and email addresses, resulted from the same data breach the company disclosed in August 2022. Twitter says its incident response team analyzed the user data leaked in November 2022 and confirms it was collected using the same vulnerability before it was fixed in January 2022.

Spoiler alert: just about all of them, all across the planet More than 70,000 websites belonging to Fortune 500 brands, government agencies, and universities share consumers' data with Twitter...