Ever wonder what personal information your employees share on Twitter that you really wish they wouldn’t? Thanks to a massive data breach, you might get the answer to your question.
According to cybersecurity outlet Bleeping Computer, on November 23, hackers uploaded a database of personal data, including phone numbers and email addresses, and possibly bios, real world locations and profile photos, belonging to 5.4 million Twitter users. That information is available for anyone to download and review at their leisure.
The hackers did not, however, share for free the information from a further 1.4 million accounts that were suspended at the time of the hack. Maybe once Elon Musk grants the promised amnesty for all these suspended accounts the hackers will give up the rest of the data?
According to cybersecurity expert Chad Loder, the hack involves Twitter accounts that have their accounts set to let others find them by their phone numbers. Twitter collected the phone number and email address information using an API that hackers breached in December 2021.
So, at the very least, you may want to advise your employees not to share phone numbers with Twitter and consider not using work or primary email addresses for their Twitter accounts. It may also be time to review what your employees are posting on the social media network, especially now that all the recent firings and upheaval at the company don’t entirely inspire confidence in Twitter’s cybersecurity hygiene.
What Your Employees Might Be Sharing With Twitter (That You Don’t Want Them To)
Social engineering techniques, a common method employed by hackers, leverage personal information to trick users into revealing confidential information like login credentials. The more personal information a hacker possesses, the better social engineering attack that hacker can create. User data leaks provide rich fodder for concocting these attacks.
Cybersecurity firm Tessian in 2021 published a report titled “How To Hack A Human,” that examines the threat represented by oversharing on social media. According to the report, only 54% of people pay attention to a sender’s email address and 44% check the legitimacy of links before responding or taking action.
In other words, if and when your employee’s personal information gets hacked on social media, as in this huge Twitter breach, you can’t count on those employees not being fooled by the social engineering attacks which may soon follow. “Users often don’t realize that posting about internal workings can harm their organization. For instance, posts that include project code words can be leveraged by cybercriminals in recon,” says Ryan Sherstobitoff, senior vice president of threat research and intelligence at IT security company SecurityScorecard.
“Companies should be clear about what their employees shouldn’t post and advise them not to share information that they don’t want to be made public, as it could lead to additional security incidents or give hackers ideas to further breach a company,” says Sherstobitoff.
Be Careful With Your Own APIs
Again, this hack took place via an API employed by Twitter, highlighting the need to be vigilant whenever you give third parties access to create applications for or access data from your systems.
“This is the problem with APIs; when you have no security program around them, bad actions don’t look any different from normal users. Twitter simply didn’t understand the difference between a use case and an abuse case within their code, and this is something that happens regularly to companies of all sizes,” says Richard Bird, chief security officer at API security company Traceable. “This incident should serve as a reminder to the world of how weak API security is within almost every corporation and organization on the planet.”
“We are in the time of the API data breach where attackers are just starting to learn the simplicity of these attacks and really understand how to make the application do the attacker’s bidding,” says Jason Kent, hacker in residence at Cequence Security, a cybersecurity company that specializes in API protection.
“Knowing what API endpoints are out there, what data can be accessed through them is a great first step. Protecting endpoints with authentication, ensuring there isn’t data leaking out via excessive information in API responses and having a good understanding of what is out there, can take an API security program to the next level,” adds Kent.