{"id":594971,"date":"2023-01-07T05:49:40","date_gmt":"2023-01-07T11:49:40","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/07\/twitter-data-breach-shows-apis-are-a-goldmine-for-pii-and-social-engineering\/"},"modified":"2023-01-07T05:49:40","modified_gmt":"2023-01-07T11:49:40","slug":"twitter-data-breach-shows-apis-are-a-goldmine-for-pii-and-social-engineering","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/07\/twitter-data-breach-shows-apis-are-a-goldmine-for-pii-and-social-engineering\/","title":{"rendered":"Twitter data breach shows APIs are a goldmine for PII and social engineering\u00a0"},"content":{"rendered":"
\n

Check out all the on-demand sessions from the Intelligent Security Summit here<\/a><\/em>.<\/p>\n

\n<\/div>\n

A Twitter API vulnerability shipped<\/a> in June 2021 (and later patched) has come back to haunt the organization. In December, one hacker claimed to have the personal data of 400 million users for sale on the dark web, and just yesterday, attackers released<\/a> the account details and email addresses of 235 million users for free.\u00a0<\/p>\n

Information exposed as part of the breach include users\u2019 account names, handles, creation date, follower count and email addresses. When put together, threat actors can create social engineering campaigns to trick users into handing over their personal data.\u00a0<\/p>\n

While the information exposed was limited to users\u2019 publicly available information, the high-volume of accounts exposed in a single location provides threat actors with a goldmine of information they can use to orchestrate highly targeted social engineering attacks.\u00a0<\/p>\n

Social media giants offer cybercriminals a gold mine of information they can use to conduct social engineering scams.\u00a0<\/p>\n

<\/p>\n
\n

Event<\/h3>\n
\n

Intelligent Security Summit On-Demand<\/span><\/p>\n

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n


\n Watch Here <\/a>\n <\/p>\n<\/div>\n

<\/body><\/p>\n

With just a name, email address and contextual information taken from a user\u2019s public profile, a hacker can conduct reconnaissance on a target and develop purpose-built scams and phishing<\/a> campaigns to trick them into handing over personal information.<\/p>\n

\u201cThis leak essentially doxxes the personal email addresses of high-profile users (but also of regular users), which can be used for spam harassment and even attempts to hack those accounts,\u201d said Miklos Zoltan, Privacy Affairs<\/a> security researcher.\u00a0\u201cHigh-profit users may get inundated with spam and phishing attempts on a mass scale.\u201d <\/p>\n

For this reason, Zoltan recommends that users create different passwords for each site they use to reduce the risk of account takeover<\/a>\u00a0attempts.<\/p>\n

Beyond APIs that \u2018just work\u2019 <\/h2>\n

Organizations too are increasingly concerned around API security<\/a>, with 94% of technology decision-makers reporting they are only moderately confident in their organization\u2019s ability to materially reduce API data security issues.\u00a0<\/p>\n

From now on, enterprises that leverage APIs need to be much more proactive about baking security into their products, while users need to take extra caution around potentially malicious emails.\u00a0<\/p>\n

\u201cThis is a common example of how an unsecured API that developers design to \u2018just work\u2019 can remain unsecured, because when it comes to security, what is out-of-sight is often out-of-mind,\u201d said Jamie Boote, associate software security consultant at Synopsys<\/a> Software Integrity Group. \u201cFrom now on, it\u2019s probably best to just delete any emails that look like they\u2019re from Twitter to avoid phishing scams.\u201d\u00a0<\/p>\n

Protecting APIs and PII\u00a0<\/h2>\n

One of the core challenges around addressing API breaches is the fact that modern enterprises need to discover and secure thousands of APIs.\u00a0\u00a0<\/p>\n

\u201cProtecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use,\u201d said Chris Bowen, CISO at ClearDATA<\/a>. \u201cIt\u2019s a lot for organizations to manage, but the risk is too great not to.\u201d<\/p>\n

There\u2019s also a slim margin for error, as a single vulnerability can put user data directly at risk of exfiltration.\u00a0<\/p>\n

\u201cIn healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport and exchange security, and trusted connectivity,\u201d said Bowen.\u00a0<\/p>\n

It\u2019s also important that security teams not make the mistake of relying solely on simple authentication options such as usernames and passwords to protect their APIs.\u00a0<\/p>\n

\u201cIn today\u2019s environment, basic usernames and passwords are no longer enough,\u201d said Will Au, senior director for DevOps, operations and site reliability at Jitterbit<\/a>.\u00a0\u201cIt\u2019s now vital to use standards such as two-factor authentication (2FA) and\/or secure authentication with OAuth.\u201d <\/p>\n

Other steps like deploying a Web Application Firewall (WAF), and monitoring API traffic in real-time can help to detect malicious activity and reduce the chance of compromise.\u00a0<\/p>\n

VentureBeat’s mission<\/strong> is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.<\/a><\/p>\n<\/p><\/div>\n

Read More<\/a>
\n Tim Keary<\/p>\n","protected":false},"excerpt":{"rendered":"

Check out all the on-demand sessions from the Intelligent Security Summit here. A Twitter API vulnerability shipped in June 2021 (and later patched) has come back to haunt the organization. In December, one hacker claimed to have the personal data of 400 million users for sale on the dark web, and just yesterday, attackers released<\/p>\n","protected":false},"author":1,"featured_media":594972,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[252,46,687],"tags":[],"class_list":{"0":"post-594971","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-breach","8":"category-technology","9":"category-twitter"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/594971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=594971"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/594971\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/594972"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=594971"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=594971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=594971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}