Watch the Low-Code/No-Code Summit on-demand sessions to learn how to successfully innovate and achieve efficiencies by upskilling and scaling citizen developers. Watch now.
In July of this year, cybercriminals began selling the user data of more than 5.4 million Twitter users on a hacking forum after exploiting an API vulnerability revealed in December 2021.
Recently, a hacker released this information for free, as did other researchers reported a breach affecting millions of accounts in the EU and US
According to an blog post from Twitter in August, the exploit allowed hackers to submit email addresses or phone numbers to the API to identify which account they were associated with.
While Twitter patched the vulnerability in January this year, it still exposed the private phone numbers and email addresses of millions of users, highlighting that the impact of exposed APIs can be devastating to modern organizations.
The true impact of API attacks
The Twitter breach comes amid a spate of API attacks Salt Security reports that 95% of organizations have experienced security vulnerabilities in production APIs in the last 12 months and 20% have experienced a data breach due to security gaps in APIs.
This high exploitation percentage fits in with this from Gartner prediction that API attacks would become the most common attack vector this year.
One of the unfortunate realities of API attacks is that vulnerabilities in these systems allow access to unprecedented amounts of data, in this case the records of 5.4 million users or more.
“Because APIs are intended to be used by systems to communicate with each other and exchange massive amounts of data, these interfaces are an attractive target for malicious exploitation,” said Avishai Avivi, SafeBreach CISO.
Avivi notes that these vulnerabilities provide direct access to underlying data.
“While traditional software vulnerabilities and API vulnerabilities share some common features, they are fundamentally different. APIs rely to some extent on the system trying to connect to them,” said Avivi.
This trust is problematic because once an attacker has access to an API, he has direct access to an organization’s underlying databases and all the information stored therein.
What’s the threat now? social engineering
The main threat arising from this breach is social engineering. Using the names and addresses obtained from this leak, it is possible for cybercriminals to target users with email phishing, voice phishing, and smishing scams to try to trick users into handing over personal information and credentials.
“With so much information made public, criminals could quite easily use it to launch convincing social engineering attacks against users. This could be not only to target their Twitter accounts, but also by impersonating other services such as online shopping sites, banks or even tax offices,” said Javvad Malik, security awareness advocate at KnowBe4.
While these scams target end users, organizations and security teams can provide timely updates to ensure users are aware of the threats they are most likely to encounter and how to address them.
“People should always be wary of suspicious communications, especially when asking for personal or sensitive information, such as passwords,” Malik said. “When in doubt, people should contact the alleged service provider directly or log into their account directly.”
It’s also a good idea for security teams to remind employees to activate two-factor authentication on their personal accounts to reduce the chance of unauthorized logins.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.