I use a unique email address for every account I create on my domain. My provider (runbox) is so good at spam filtering, I can't tell if using unique emails has benefited me in any way. The only address that ever gets spam is the one I put on my homepage in plaintext. And I've been doing this for 12 years. Spam filtering is kinda amazing, but it hides the reality that I was trying to measure.
Is this the same breach that was half-disclosed in November, but there was no response or journalistic follow-up and the reporting researcher was deplatformed? That one was confusing.
- "The news of this more significant data breach comes from security expert Chad Loder, who first broke the news on Twitter and was suspended soon after posting. Loder subsequently posted a redacted sample of this larger data breach on Mastodon."
- "I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021," Loder shared on Twitter."
- "BleepingComputer has obtained a sample file of this previously unknown Twitter data dump, which contains 1,377,132 phone numbers for users in France."
- "We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying this additional data breach is real."
Oh fun, soon prospective employers who have your email address or phone number will be able to look up your Twitter account and read all the tweets you totally intended for that audience.
Might be worth nuking your account if you are at risk of being outed for something.
Even still - they could access deleted content from this breach.
I’ve always said I don’t have social media, I get enough of what I want without logging in, and anything online is a fake/scam account not to be trusted. Sure. It’s got a user icon with my face in it. That’s easy.
The more deepfakes become … deeper? more faker? … the easier it will be to say “it wasn’t me.”
I believe the maximum time to respond to deletion requests per GDPR is 30 days. I know a lot of people have had similar issues so I'm sure this is going to be a big issue in the EU.
>In July 2022, a hacker forum post offered to sell the personal information of over 5.4 million Twitter users for $30,000. The data included publicly available information like Twitter IDs, names, login names, locations, and verified status, as well as private information like email addresses and phone numbers.
>The hack occurred in December 2021 when a vulnerability in the Twitter API was exposed through the HackerOne bug bounty program. This vulnerability allowed anyone to enter a phone number or email address into the API and link it to a Twitter ID.
It was scraping and a bypass of the privacy setting that lets you prevent people finding you by your email or phone number.
Is there a country with currency in which $30,000 is roughly “one million” of whatever their currency is?
That seems like an awfully low number for anybody with access to western salaries… almost a waste of a hack, like when the Musk twitter account hacker posted the stupidest of crypto scams.
> Twitter users for $30,000. The data included publicly available information like Twitter IDs, names, login names, locations, and verified status, as well as private information like email addresses and phone numbers.
Regardless of this data breach, phone number login / verification or SMS 2FA is an absolutely stupid idea. I have said this before [0] and it appears that with the resurfacing of this old data breach, it turns out that it exposes users to even more SS7 attacks and SIM swapping attacks.
In general, anything that violates the user's privacy from Twitter to TikTok especially a breach of user data should be fined by the regulators on the basis of the total number of users signed up. Hundreds of millions of dollars in fines for Twitter and for larger networks; it should be a fine in the billions of dollars.
> Regardless of this data breach, phone number login / verification or SMS 2FA is an absolutely stupid idea.
They don't care, its not actually for security or Safety, rather it's a unique ID thats much harder to change than E-Mail, thus much easier to track across services.
25 comments
[ 3.3 ms ] story [ 70.4 ms ] thread- "The news of this more significant data breach comes from security expert Chad Loder, who first broke the news on Twitter and was suspended soon after posting. Loder subsequently posted a redacted sample of this larger data breach on Mastodon."
- "I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021," Loder shared on Twitter."
- "BleepingComputer has obtained a sample file of this previously unknown Twitter data dump, which contains 1,377,132 phone numbers for users in France."
- "We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying this additional data breach is real."
https://www.bleepingcomputer.com/news/security/54-million-tw...
Since he was banned at the same time than crimeth!nc i thought it was political.
Might be worth nuking your account if you are at risk of being outed for something.
I’ve always said I don’t have social media, I get enough of what I want without logging in, and anything online is a fake/scam account not to be trusted. Sure. It’s got a user icon with my face in it. That’s easy.
The more deepfakes become … deeper? more faker? … the easier it will be to say “it wasn’t me.”
Is this sarcasm?
I wonder if a legal nastygram is in order and would get sufficient traction.
>The hack occurred in December 2021 when a vulnerability in the Twitter API was exposed through the HackerOne bug bounty program. This vulnerability allowed anyone to enter a phone number or email address into the API and link it to a Twitter ID.
It was scraping and a bypass of the privacy setting that lets you prevent people finding you by your email or phone number.
That seems like an awfully low number for anybody with access to western salaries… almost a waste of a hack, like when the Musk twitter account hacker posted the stupidest of crypto scams.
Regardless of this data breach, phone number login / verification or SMS 2FA is an absolutely stupid idea. I have said this before [0] and it appears that with the resurfacing of this old data breach, it turns out that it exposes users to even more SS7 attacks and SIM swapping attacks.
In general, anything that violates the user's privacy from Twitter to TikTok especially a breach of user data should be fined by the regulators on the basis of the total number of users signed up. Hundreds of millions of dollars in fines for Twitter and for larger networks; it should be a fine in the billions of dollars.
[0] https://news.ycombinator.com/item?id=32364674
They don't care, its not actually for security or Safety, rather it's a unique ID thats much harder to change than E-Mail, thus much easier to track across services.
Oh also Bot protection if that matters anyway.