Twitter said that the November 2022 leak of private phone numbers and email addresses resulted from the data breach the company disclosed in August 2022. This autumn's leak included millions of profiles which, upon analysis, were linked to a breach caused by the vulnerability fixed in January 2022.
"In November 2022, some press reports published that Twitter users' data had been allegedly leaked online. As soon as we became aware of the news, Twitter's Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases." - said Twitter.
In January 2022, Twitter's bug bounty program helped identify an API vulnerability that allows linking email addresses or phone numbers with Twitter ID for a registered account. Unfortunately, a threat actor leveraged this vulnerability to create a database of 5,4 million user profiles with public and non-public data before Twitter could identify and remediate the problem.
This summer, the scraped data was spotted on some hacker forums, available for selling at $30000. Later, a JSON file was spotted with the same data available. Still worse, new data sets were leaked by the threat actor to suggest that the breach was far more extensive: potentially up to 17 million records. However, Twitter has yet to reveal how many users were exposed. So far, it encourages users to enable two-factor authentication or special apps to protect their accounts and keep an eye on phishing emails.
We will not focus on the negative reputational impact this leaking saga continues to have on an already battered Twitter. Instead, think over just one bare fact: a single vulnerability was not discovered timely and led to a huge leak. This, in turn, brings us to the point of a secure Software Development Lifecycle, or SDLC. It includes such stages as planning, designing, building, release, maintaining, etc, and making it secure (#SSDLC) requires incorporating security into each of the stages. For all major hi-tech companies offering services based on web, mobile applications, or cloud solutions, keeping to the SSDLC principles is paramount.
We are confident that Twitter keeps to these principles (well, at least used to, considering recent bulk reductions in the company). On the other hand, the vulnerability of this type, most probably, could have been discovered with #whitebox pentesting, which doubts the viability of reductions even more. Let’s hope they do not involve the cybersecurity team.
Only some companies can afford cybersecurity personnel to augment software teams. In such a case, the best option would be to engage a cybersecurity partner with relevant expertise, such as #Sekurno.
We have extensive experience making software design and development processes secure and would be happy to share it. Also, we are true pros in #pentesting, especially white-box.