Month: July 2022

Social media site Twitter has suffered a data breach of over 5.4 million accounts, that are now for sale on a hacking forum. The hacker, who goes by the alias ‘devil’, claimed in a post on Breach Forums that the dataset stolen includes email addresses and phone numbers from “Celebrities, to Companies, randoms, OGs, etc.” ‘OGs’ refers to Twitter handles that are desirable – either short, or a desirable word.

Back in January 1, 2022, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and the email address associated with Twitter accounts, even if the user has hidden these fields in their privacy settings.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.” reads the description in the report submitted by zhirinovskiy.

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.”

Five days after posting the report, Twitter acknowledged this to be a “valid security issue”. After further investigating the issue Twitter fixed the vulnerability, and awarded user zhirinovskiy with a $5,040 bounty.

A threat actor is now selling the data that was acquired from this vulnerability for at least $30,000. It is being offered on Breached Forums, the same forum that posted 23 terabytes of data leaked from 1 billion Chinese Citizens.

Read more about it here.

The Marriott International hotel chain has confirmed that it has been hit by yet another data breach.

The data breach took place at one location, the BWI Airport Marriott near Baltimore. Marriott said that it is directly contacting the 300 to 400 guests that had credit card information exposed. The threat actor used social engineering to trick one hotel employee at this single Marriott hotel into providing access to their computer. The threat actor claimed to have tried to extort the hotel chain but according to Marriott, no money was paid. In total 20GB of data were leaked.

In 2018, Marriott revealed that it had been hit by an enormous database breach that affected 500 million of its guests. The data breach lasted 4 years. In another dat a breach in 2020, Marriott exposed the personal information of 5.2 million guests.

Read more about it here.

Unknown threat actors claimed to have obtained data of one billion Chinese residents, after breaching a database of the Shanghai police. If that is true, this data breach is the largest one in the country’s history.

The anonymous internet user, identified as “ChinaDan”, posted on hacker forum Breach Forums last week, offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin, equivalent to about $200,000. The data includes names, addresses, birthplaces, national IDs, phone numbers and criminal case information.

Zhao Changpeng, founder and CEO of cryptocurrency exchange Binance, tweeted last Monday that the company had detected the breach of a billion resident records “from one Asian country,” without specifying which, and had since stepped up its verification process for potentially affected users.

Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency. This has impact on …

— CZ 🔶 Binance (@cz_binance) July 3, 2022

Shanghai authorities have not publicly responded to the purported data breach.

Read more about it here.