In the early hours of January 2023, 1, Bloomberg reported: Twitter leaks information of over 2.3 million users1I came across this article, so I'd like to use it as an opportunity to think a little about the risks involved.
Table of contents
- Event summary
- Possibility and risk of misuse
- Risk 1: Email addresses and phone numbers are used to identify real accounts, sub-accounts, and secret accounts
- Risk 2: You may be phished using this information
- Risk 3: It can be used for profiling
- Risk 4: Spam swarming/DDoS attacks
- Identifier Problems
Event summary
According to a report by Bloomberg English on January 2023, 1 at 6:5 JST, information on over 17 million users, believed to have been leaked from Twitter, was posted on the message board "BreachForum." The information included email addresses, Twitter handles (names beginning with @. In my case, @_nat ), full name (←what does that mean?), but while I was writing this entry, I suddenly thought of going to piyolog and saw the article "A summary of the approximately 2 million pieces of data that were thought to have leaked from Twitter."2It was summarized in detail in the article.
- User Name
- User ID
- Number of followers
- Account Creation Date
- E-mail address
It seems to be included. Piyokango-san, as expected. On the other hand, Bloomberg, write it properly.
This data was not newly extracted, but was likely extracted using a "vulnerability" in the Twitter API that existed from June 2021 to January 6. The vulnerability itself was reported to Twitter in January 2022 and immediately fixed, according to Twitter's August 1, 2022 report.3According to the report, "If someone submits an email address or phone number to Twitter's system, Twitter's system will return to that person the Twitter account associated with that email address or phone number, if any.4It seems that it was something like "5.
It was already known in July 2022 that this API vulnerability had actually been exploited. While the report suggests that only Twitter handles are extracted in the above example, if the Twitter handle is known, the "name" of the Twitter profile associated with the handle can also be known, so the data published on BreachForum may have been the result of linking the "name" that was publicly available to the data previously extracted. In fact, on December 7, 2022, approximately 12 million pieces of data, including phone numbers, were sold "exclusively for $23 or multiple sales for $4."6It seems that the data was cleaned by removing duplicates from the original data. For more details, see the piyolog article.7Please see.
Possibility/Risk of Exploitation
First of all, since your password has not been leaked, there is no direct risk of unauthorized login. However, it would be useful to take this opportunity to review your login practices and set up a FIDO authenticator or one-time password (OTP), so please do so. In fact, this is recommended in the above-mentioned August 8th Twitter report. (On the other hand, Bloomberg, why do you bring up this before advanced authentication, saying "You should change your password in the 'Account' tab while logged in"? That's what I'm talking about.)
Now, let's look at the risks. First, let's consider the risk of exploiting the vulnerabilities announced in August 2022.
Risk 1: Using email addresses and phone numbers to access public and sub accounts8, Secret Account9The names are collected
Risk:The biggest risk for some individuals is that their secondary accounts and secret accounts can be linked using email addresses or phone numbers as keys. This could lead to people being told all sorts of things or even being threatened by tracing past tweets from secondary accounts. The original vulnerability report also listed this type of name matching as the biggest risk.
countermeasure:Hmm. It's pretty difficult once it's happened. Deleting sub-accounts and secret accounts can be effective to some extent, assuming that they haven't been tagged. However, on the other hand, you may be criticized for deleting your tweets or account. People may think that you're doing something shady.
In the future, if you create a sub-account or secret account, use a different email address and mobile phone number. The reason I decided to write this blog entry is to delve deeper into this topic (see below), so please take a look at that as well.
Risk 2: You may be phished using this information
Risk: Even if the information is public or leaked, if the information that appears to be correct is presented to the person and a sense of crisis is stirred up, they are likely to be deceived by scams.@_nat'10Your password for (email address: nat@example.com) has been leaked. Please go to the following site and reset your password immediately" and send a message to the registered mobile phone number 080-0987-654311 If you get an SMS message like that, you'll probably just do it, right?
countermeasure:Changing your password as Bloomberg recommends is meaningless. Two-factor authentication as Twitter recommends is almost guaranteed to be effective if you select a "security key." OTPs using text messages or authentication apps are vulnerable to phishing and will not counter this risk (although they are effective against attacks using previously leaked passwords).
Risk 3: It can be used for profiling
Risk: The leaked information and any information that can be retrieved from it are linked to information the company already has via email address or phone number and used for targeting profiling.
countermeasure:There aren't many realistic, i.e. cost-effective, solutions. If you have any ideas, please write them in the comments.
Risk 4: Spam swarming/DDoS attacks
Risk:For ordinary people, the leaked email addresses and phone numbers could be spam, interrupting their work or free time, or causing them to miss messages that they shouldn't miss. For celebrities, it could be a DDoS attack.
countermeasure:This is unfortunate news for those who have only disclosed their email addresses and numbers to important people and have not overlooked them. You may have to put the people you currently disclose to a whitelist and then knock them off or change your number. In particular, in the case of phone calls, if the company is unable to take action, the phone number may become unusable.
There are probably many more things I could find if I looked into it more closely, but for now, I'll leave it at that. If you have any ideas, I'd be happy if you could write them in the comments.
Identifier Problems
When I started writing this blog, I was going to delve deeper into the issue of identifiers under the title "Thinking about the issue of identifiers using the information leak incident involving over 2.3 million Twitter users as a subject," but it's gotten pretty long and it's almost 3am and I'm tired, so I'll stop here for now. What I was thinking of writing was,
- Identifier vs. Credential Conflation Issue:I had the impression that the initial "vulnerability" was actually a bug in the specifications that came from this area, so that's what prompted me to write this entry in the first place. I ran out of energy before I got that far, though. You might think, "That's stupid," but this confusion is quite common. Especially when you use these to reset your password. Well, I'd like to believe that this wasn't the case with Twitter.
- Account matching issue:The main topics are those mentioned in the risk section. In addition to these, there are also the following topics:
- Backup authentication methods for pseudonymous accounts
- Confusion of backup authentication methods when using reusable identifiers
- Issue of Twitter using email addresses and phone numbers for unauthorized purposes:It seems that these, which were obtained as backup authentication methods, were then used for targeting.
- For details, click here → Twitter faces $250 million FTC fine for misusing emails and phone numbers (2020-08-04)
I have started explaining identifiers on the Japanese YouTube channel I created at the end of last year (although as of January 2023, 1, only the first episode has been uploaded).
In this first installment,"Classification and Risks of Identifiers: A Complete Guide to Identifiers ①"12In this article, I talk about the classification and risks of identifiers (I have posted it below). As you can see from this, email addresses and phone numbers are basically reusable identifiers. They are also omnidirectional identifiers, and in many cases, they are also persistent identifiers. There are almost no people who change their email addresses and mobile phone numbers every three years. Taking these things into consideration, I was planning to write about the lessons that can be learned from this incident. But that will be for another time.
Well then!
footnote
- English version (Twitter Security Headaches Mount With User Data Leak Claim) Excerpt translation
- https://piyolog.hatenadiary.jp/entry/2023/01/07/000622
- An incident impacting some accounts and private information on Twitter
- Original text: "If someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any." (Source) Twitter's report dated August 2022, 8 (accessed January 5, 2023)
- More information I learned this from mala. "Discoverability by phone number/email restriction bypass" There are details in this article, and if you read it you will understand what it was about. (Added on 1/11)
- Source: piyolog article above
- https://piyolog.hatenadiary.jp/entry/2023/01/07/000622
- Subaccounts
- Secret Account
- I had @example as the address until January 1th, but since it was a real account, I quickly changed it to my own address. I hope this isn't a problem for you, but I'm sorry...
- This is a phone number that does not exist. I looked it up because it could be used as an example.
- https://www.youtube.com/watch?v=Ak3nSqwro9I
2.3 Reply to "Considering the risks of the Twitter data leak incident involving 1 million users"