Connect with us

Press Release

Online data breaches involving 5.4 million Twitter users and more private sharing

Published

on

Online data breaches involving 5.4 million Twitter users and more private sharing

An API flaw that was patched in January allowed for the theft of over 5.4 million Twitter user records that contained private information. These records were made available for free sharing on a hacker forum.

A security researcher has also revealed another enormous, possibly more significant, data dump of millions of Twitter records, illustrating how widely this flaw was utilised by threat actors.
The material is made up of public data that has been scraped as well as secretive email addresses and phone numbers.

The data breach on Twitter
In July of last year, a threat actor started charging $30,000 for the personal data of more than 5.4 million Twitter users.

The majority of the material was made up of publicly available details such Twitter IDs, names, login names, localities, and verified statuses; however, there was also private information like phone numbers and email addresses.

This information was gathered in December 2021 by utilising a Twitter API flaw that was made public through the HackerOne bug bounty programme. This flaw allowed users to submit their phone numbers and email addresses to the API in order to obtain the corresponding Twitter ID.

The threat actors might then use this ID to scrape the account’s public data to generate a user record with both private and public data. The HackerOne disclosure may have been disclosed, but BleepingComputer was informed that numerous threat actors were using the flaw to steal personal data from Twitter.

Twitter confirmed it had experienced a data breach due to an API issue resolved in January 2022 after BleepingComputer sent them a sample of the user details.

This past weekend, Pompompurin, the proprietor of the Breached hacking site, revealed to BleepingComputer that they were in charge of exploiting the flaw and producing the enormous dump of Twitter user data after another threat actor going by the name of “Devil” disclosed the vulnerability to them.

Nearly 7 million Twitter profiles with private information were found overall, including the 5.4 million records for sale and an additional 1.4 million suspended user profiles that were gathered via a separate API.

Pompompurin said that this second data dump was only privately distributed to a select group of individuals and was not sold.

Sharing of Twitter data on a hacking forum
The 5.4 million Twitter records have now been freely posted on a hacking forum twice—once in September and most recently on November 24.

This data, which includes 5,485,635 records of Twitter users, was for sale in August, and Pompompurin has confirmed this to BleepingComputer.

These records include the account’s Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, likes count, statuses count, and profile image URLs, along with either a private email address or phone number.

An even larger data dump was produced in secret.
Although it is troubling that threat actors gave out 5.4 million records, it is also claimed that the same vulnerability was used to create a much larger data dump.

This data dump may comprise tens of millions of Twitter records, including public data like verified status, account names, Twitter IDs, bios, and screen names, as well as personal phone numbers gathered using the same API problem.

Security expert Chad Loder, who initially reported the information on Twitter and was suspended shortly after publishing it, is the source of the information on this more serious data leak. Later, Loder published a sample of this wider data breach on Mastodon with redactions.

“I recently learned about a significant Twitter data breach that affected millions of US and EU Twitter accounts. I got in touch with a small number of the impacted accounts, and they confirmed that the stolen information is true. This breach did not happen until 2021, “Shared on Twitter by Loder

A sample file from this previously unreported Twitter data dump, which contains 1,377,132 phone numbers for people in France, has been discovered by BleepingComputer.

The phone numbers in this leak have since been verified by a large number of people, proving that this additional data breach is legitimate.

Additionally, none of these phone numbers were part of the initial data sold in August, demonstrating how much more user data was available to threat actors than Twitter had previously reported and how much broader Twitter’s data breach was than had been previously disclosed.

Additionally, Pompompurin informed BleepingComputer that they were not in charge of and were unaware of the creator of the recently found data leak, proving that other parties were utilising this API vulnerability.

According to information obtained by BleepingComputer, this recently found data dump comprises of a large number of files divided up by region codes and countries, including Europe, Israel, and the USA.

Although we were informed that it contains more than 17 million records, we were unable to independently verify this.

It is crucial to carefully review any email that purports to be from Twitter because this information might potentially be used for targeted phishing attacks to get login credentials.

You should disregard and delete any emails that encourage you to log in to a non-Twitter domain and claim that your account has been suspended, there are login problems, or you are about to lose your verified status. These emails are likely phishing attempts.

On Thursday, BleepingComputer contacted Twitter on this additional data leak of personal data, but has not heard back.

 

Continue Reading

Press Release

After discontinuing support for ransom payments, insurer AXA was attacked by ransomware.

Published

on

After discontinuing support for ransom payments, insurer AXA was attacked by ransomware.

A ransomware cyber assault has targeted the Thai, Malaysian, Hong Kong, and Philippine branches of the world’s largest insurance company, AXA.

The Avaddon ransomware organisation claimed yesterday, as reported by BleepingComputer, that it had stolen 3 TB of private data from AXA’s Asian operations.

Additionally, AXA’s international websites were down yesterday for a while due to a Distributed Denial of Service (DDoS) attack, according to BleepingComputer.

The group claims that the compromised data collected by Avaddon includes copies of ID cards, bank account statements, claim forms, payment records, contracts, claim forms for customers that reveal their sexual health diagnosis, and more.

The group’s statement follows AXA’s revelation that it would no longer cover ransomware extortion payments when underwriting cyber-insurance plans in France.

Asian AXA offices are targeted by a ransomware organisation.
The ransomware organisation Avaddon took responsibility for the attack on AXA’s offices in Asia yesterday.

The group also asserted that there was a DDoS attack ongoing against AXA’s websites hosted in Thailand, Malaysia, Hong Kong, and the Philippines:

The Avaddon ransomware gang initially made the threat to launch DDoS assaults to take down victims’ websites or networks until they get in touch and start negotiating to pay the ransom in February 2021.

When ransomware gangs started deploying DDoS assaults against their victims as an extra point of leverage in October 2020, BleepingComputer became the first publication to report on this new development.

About a week after AXA announced that payment for ransomware extortion settlements would no longer be included in their cyber-insurance policies sold in France, Avaddon announced the attack on AXA’s infrastructure.

Avaddon started dumping part of the stolen data on their leak site yesterday, as seen by BleepingComputer, even if the exact date of the incident remains unknown.

Avaddon also threatened to expose AXA’s priceless records if the insurance firm didn’t get in touch with them and work with them within 10 days.

The gang asserts to have obtained 3 TB of AXA data, which includes:

client medical records (including those containing sexual health diagnosis)
customer claims payments to consumers’ bank accounts scanned records content only available to hospitals and physicians (private fraud investigations, agreements, denied reimbursements, contracts)
Identity cards, passports, and other forms of identification

AXA: Access to data by a Thai partner only, “No Evidence”
AXA responded when approached by BleepingComputer as follows:

A recent targeted ransomware assault on Asia Assistance affected its IT operations in Thailand, Malaysia, Hong Kong, and the Philippines.

As a result, someone was able to access some data handled by Inter Partners Assistance (IPA) in Thailand.

“At this time, there is no proof that any additional data was accessed in Thailand beyond IPA.”

“The incident is being investigated by a dedicated taskforce that includes outside forensic experts. Partners in business and regulators have been informed.”

According to an AXA spokesman, “AXA takes data privacy very seriously and will take the appropriate procedures to notify and help all corporate clients and people impacted” if IPA’s investigations reveal that sensitive data of any persons have been affected.

The incident’s timing is interesting in light of this week’s FBI and Australian Cyber Security Centre (ACSC) alerts on ongoing Avaddon ransomware assaults aimed at enterprises from a wide range of industries in the US and around the world.

Attackers who use ransomware on enterprises continue to expand and interrupt many operations while demanding extortionate ransom payments.

The DarkSide cyberterrorist organisation recently requested $5 million to reactivate the Colonial Pipeline infrastructure.

Additionally, just this week, BleepingComputer reported that a $20 million ransomware demand was made on Ireland’s Health Services.

Continue Reading

Press Release

After taking data, the Android spyware BRATA wipes your smartphone.

Published

on

After taking data, the Android spyware BRATA wipes your smartphone.

The most recent version of the Android malware known as BRATA now includes several new and dangerous features, such as GPS tracking, the ability to use numerous communication channels, and a tool that wipes all evidence of malicious activity from the device by performing a factory reset.

Kaspersky originally identified BRATA as an Android RAT (remote access tool) in 2019 that mostly targeted Brazilian users.

A Cleafy report from December 2021 highlighted the malware’s appearance in Europe, where it was observed to target customers of online banking services and steal their credentials with the help of con artists posing as bank customer support representatives.

Cleafy analysts kept an eye out for new features in BRATA, and in a new research released today, they show how the malware is still evolving.

versions with modifications for various audiences
The most recent iterations of the BRATA malware currently target e-banking users in China, Latin America, the UK, Poland, Italy, and Spain.

With various overlay sets, languages, and even different apps to target particular populations, each version focuses on a different bank.

In all versions, the developers employ comparable obfuscation strategies, such as enclosing the APK file in an encrypted JAR or DEX package.

The VirusTotal scan below shows how effectively this obfuscation avoids antivirus detections.

On that front, before moving on to the data exfiltration process, BRATA now actively looks for indicators of AV presence on the device and tries to erase the discovered security tools.

 

New capabilities
The keylogging functionality, which is a new feature in the most recent BRATA versions, was discovered by Cleafy researchers and adds to the existing screen capturing capabilities.

All new variations also include GPS monitoring, however analysts are unsure of its precise function.

The performing of factory resets, which the actors do in the following circumstances, is the scariest of the new malevolent features.

The fraudulent transaction has been successfully finished after the compromise (i.e. credentials have been exfiltrated).
It has been discovered by the programme that it operates in a virtual environment, perhaps for analysis.
The kill switch used by BRATA is a factory reset, which wipes the device and increases the risk of a victim experiencing an unexpected and permanent loss of data.

Finally, BRATA now supports HTTP and WebSockets and has provided new channels for data exchange with the C2 server.

 

A direct, low-latency route that is perfect for in-the-moment communication and live manual exploitation is provided by the choice of WebSockets for the actors.

Additionally, because WebSockets don’t need to send headers with each connection, less suspicious network traffic is generated, which reduces the likelihood of being discovered.

Basic safety precautions
BRATA is only one of several sneaky RATs and Android banking trojans that target users’ banking credentials that are out there.

Installing apps from the Google Play Store, avoiding APKs from dubious websites, and always scanning them with an AV programme before opening them are the best strategies to prevent being infected by Android malware.

Pay close attention to the permissions that are requested during installation and don’t allow those that don’t seem necessary for the app’s primary functions.

Finally, keep an eye on your battery life and network traffic levels to spot any sudden spikes that can be caused by malicious processes that are running in the background.

Continue Reading

Press Release

Record: hackers scraped information of 500M LinkedIn customers and published it available online; LinkedIn validates the dataset includes publicly viewable details from its site (Katie Canales/Insider).

Published

on

hackers scraped information

ReporReport: hackers scraped data of 500M LinkedIn users and posted it for sale online; LinkedIn confirms the dataset includes publicly viewable info from its site (Katie Canales/Insider)

Katie Canales / Insider:
Report: hackers scraped data of 500M LinkedIn users and posted it for sale online; LinkedIn confirms the dataset includes publicly viewable info from its site — – Personal data from 500 million LinkedIn users has been scraped and is reportedly for sale on a hacking forum.t: hackers scraped data of 500M LinkedIn users and posted it for sale online; LinkedIn confirms the dataset includes publicly viewable info from its site (Katie Canales/Insider)

Katie Canales / Insider:
Report: hackers scraped data of 500M LinkedIn users and posted it for sale online; LinkedIn confirms the dataset includes publicly viewable info from its site — – Personal data from 500 million LinkedIn users has been scraped and is reportedly for sale on a hacking forum.

Continue Reading

Trending