Ireland’s Data Protection Commission (DPC) has launched an inquiry into a Twitter breach that affected over 5.4 million users. The breach exploited an API vulnerability in Twitter’s code, which was later patched in June 2021. In July 2022, information from the Twitter breach was for sale on blackhat forums. Twitter issued an update about the breach in Aug. 2022.
The DPC inquiry will investigate whether Twitter Inc. was in violation of section 110 of the Data Protection Act (the Act) and the General Data Protection Regulation (GDPR). The organization regulates Big Tech in the EU and has previously fined both Twitter and Meta for GDPR non-compliance.
“The DPC, having considered the information provided by TIC regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users’ personal data,” read the DPC statement.
5.4 Million Twitter Users Affected
In July 2022, the user information from this recent breach was up for sale, showcasing more than just publicly viewable information. This included Twitter IDs, locations, verification statuses, phone numbers, and email addresses of the affected users. Twitter’s update from August informed that the breach occurred in 2021 when the company hadn’t yet fixed the bug.
On Jan. 1, 2022, the HackerOne Bug Bounty blog reported the API vulnerability, prompting Twitter to fix it in June 2022. At the time, the company thought no one had exploited the vulnerability. But now, with 5.4 million user information on the sale, it seems that Twitter wasn’t so lucky. The cybercriminals managed to harvest users’ phone numbers and email addresses by exploiting the vulnerability. What’s shocking is that the vulnerability exposed users to exploitation even when their Twitter privacy settings were set to private.
Twitter has informed users that they can’t manually check if their accounts were affected by the breach. But, striking a reassuring tone, the company informed affected users that the cybercriminals didn’t breach any passwords. Further, Twitter’s update advised users to use two-factor authentication (2FA) for better online security.
The cybercriminal (Pompompurin) responsible for this compromise was allegedly responsible for another Twitter compromise through a different API vulnerability. The data from that compromise of 1.4 million Twitter users turned out to be valid.
Breach Could Be Far Worse than Described
According to researcher and CEO of Habitu8 cybersecurity firm Chad Loder, the breach was likely far worse than is reported, with potentially 17 million users affected. But, these claims are unsubstantiated as of yet.
The CEO took to Twitter, saying, “From what I have confirmed, the breached Twitter data covers, at a minimum, the full phone number spaces for multiple country codes in the EU, and some area codes in the US. The dataset includes verified accounts, celebrities, prominent politicians, and government agencies.”
In the tweet thread, which later led to his account suspension, Chad Loder claimed a breach, similar to the recent one, had taken place in 2021. He claims Twitter is hiding this. He tweeted, “I compared this breached data to a sample from the data breach mentioned in the 2022 article. It is NOT the same data. Completely different format, different affected accounts. Likely multiple actors all exploiting the same vulnerabilities in 2021.”
If Chad Loder’s accusations are true, the cybercriminals were likely exploiting the vulnerability way before Twitter wised up to it. This would mean at least two separate breaches have occurred, and the affected users have to be far more than the 5.4 million Twitter admitted to in August. That said, however, the DPC’s inquiry will look into the leaked database of 5.4 million users and not the other breaches.
Social Media Platforms Are Generally Unsafe
Switching to private settings isn’t as effective at protecting users’ information, as is clearly evident from this recent breach. Social media companies have, time and again, failed to safeguard customer information. With both Facebook and Twitter making headlines for the wrong reasons, it seems the only way to safeguard information online is to just stop uploading it. Yet, that’s not a prudent measure, as most businesses rely on these platforms for marketing.
Recently, cybersecurity experts have confirmed the use of sophisticated attacks and an ever-widening array of attack vectors. This makes network impenetrability a near impossibility. Most cybersecurity professionals propose that, given time and resources, any network is breachable.
However, following even the basic security protocols, such as firewalls, network monitoring, and employee awareness training, can greatly reduce such vulnerabilities. But, these tools serve as effective safety nets and shouldn’t replace user caution and discretion online on public networks and social applications. Social media applications, especially, have become favorite hunting grounds for cybercriminals where they can access centralized repositories containing large volumes of user information with relative ease.
Previous Fines by the DPC for GDPR Violations
In 2020, the DPC fined Twitter €450,000 for failing to notify them of a breach within the 72-hour timeframe set in the GDPR. The DPC also fined Facebook €265 million in 2022 under GDPR for a breach that affected over 533 million Facebook users. In March 2022, the authority fined Facebook again for €17 million.
Under the GDPR, EU data regulators can impose maximum fines of up to €20 million or 4% of the violating company’s total annual global turnover. Fines can vary greatly, going as low as €100. A full list of all GDPR fines and other information is available on the GDPR enforcement tracker website.
Violating entities could face other types of penalties apart from fines:
- Warnings and reprimands
- Temporary or permanent ban on data processing
- Rectification, restriction, or erasure of data
- Suspending data transfers to third countries
With the threat of cybercriminals and exorbitant fines lurking, online organizations must ensure compliance with cybersecurity protocols and the GDPR. This is especially when handling information from European citizens. Though the GDPR and the DPC mainly deal with larger breaches, many businesses have been fined fewer amounts for lesser violations.