Cybersecurity researchers at HackerOne released a warning back in January 2022 that a security vulnerability in Twitter can allow an attacker to steal phone number and/or email addresses data associated with a user’s account – even if the user has those fields hidden in their security settings. Twitter released a patch, but it was reported in July that a database of user information stolen from the platform was now being sold on Breach Forums, a popular hacking forum on the Dark Web.

According to HackerOne, the compromised database of accounts consisted of 5.4 million users, and included datasets for celebrities, politicians and businesses. Breach Forums has reportedly verified the authenticity of the leaked data.

“This is just more confirmation that privacy is an illusion for the most part,” warned Timothy Morris, Technology Strategist at Tanium.

“The ability of this vulnerability to expose someone’s aliases or non-attributable Twitter profiles demonstrates this reality in a powerful way,” Morris explained. “It’s concerning, especially for those in sensitive situations, such as crime victims, political activists/dissidents, and those under the thumb of oppressive regimes. While in this instance, the discovery was responsibly disclosed and addressed, the reality is Twitter handles and identities are a sought-after commodity that can be used to compromise other systems or wreak havoc in someone’s personal life. It’s likely that there are other vulnerabilities yet to be exposed that will yield similar access, so it’s reasonable to expect this trend to continue.”

It’s not just Twitter that experienced a cybersecurity-related issue recently. Facebook also was the target of an attack when Researchers announced that a new malware operation titled “Ducktail” has been targeting users and employees who have access to a Facebook Business account.

“Ducktail” is harmful as it steals browser cookies, and takes advantage of authenticated Facebook sessions to steal information from a victim’s account. The new malware operation is able to hijack any Facebook Business account.

“As businesses become more aware and resilient to traditional ransomware attacks, cybercriminals will look for new ways to convert successful cyberattacks into ill-gotten financial gains,” said Chris Clements, Vice President of Solutions Architecture at Cybersecurity firm Cerberus Sentinel.

“Historically we’ve seen similar attacks on social media accounts such as the Twitter hack in July 2020 that included Elon Musk among over 100 other celebrities that targeted account followers by tweeting out cryptocurrency scams from the compromised accounts, but the directed approach of targeting Facebook business accounts in a new and interesting angle,” Clements continued. “Contrasting with prior social media hijacking that makes itself obvious very quickly by posting links to scams or malware, this campaign is stealthier, looking to modify ad spends or introduce ad fraud.”

Experts recommend that organizations looking to protect themselves from threats need a true culture of security that considers all potential threats as part of their risk management strategy – and that includes social media.

“Often, social media accounts are managed by PR or marketing teams with no input or oversight from the cybersecurity teams to ensure that best practices for those accounts include strong passwords, multifactor authentication, and real-time monitoring capabilities to detect potential compromise,” explained Clements. “Still, it’s important for businesses to understand that the risk from this latest threat goes beyond just social media accounts like Facebook. The Ducktail malware steals more info from its victims than just Facebook access that could be used to launch further attacks directed at both the person and business.”

When using social media, users may not think of the implication that can arise if they overshare. However, you can paint a very vivid picture by oversharing, which can then be exploited by hackers.

“This story is just one more example of the success of social engineering used by hackers. Social engineering is the number one cause of most malicious data breaches,” said Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4.

“Nothing else is even close, percentage-wise,” Grimes warned. “Nearly every organization could best improve their cybersecurity defense plans if they focused far more on reducing the likelihood of social engineering compromise. No other single defense could do more to protect an organization against hacking and malware. Every organization should look to see what they can improve in their defense-in-depth plan (e.g., policies, technical defenses, and education) to defeat social engineering. It is because almost no organization appropriately focuses the necessary resources and training against social engineering that allows hackers and malware to be so long-term successful. Hackers love that defenders are distracted and don’t focus appropriate resources on the number one threat.”

Security experts warn that users shouldn’t let their guard down when it comes to social media. In fact, they should strive to adopt a secure policy.

“To avoid being victimized, it’s best to operate under the mindset that digital footprints exist everywhere and can never be completely eradicated, and thus, anonymity in the digital realm is a fallacy,” said Morris. “For developers, this vulnerability also shows there’s still a need for proper input validation and ensure that any request is authorized or authenticated. The root of this specific vulnerability is that of improper access control.”

These attacks show that better authentication tools should be used by everyone.

“As individuals, we are aware of the personal threats posed by cyberattacks directed against us,” suggested Erfan Shadabi, Cybersecurity Expert with comforte AG.

“As members of businesses and organizations, we know that enterprise data, which is the lifeblood of the corporation, is always a tempting target for hackers,” Shadabi continued. “The recent attack against Twitter should underscore the need for data-centric security such as tokenization or format-preserving encryption to be applied to sensitive data wherever it resides in order to render that data incomprehensible and thus worthless for exploitation. Preventing attacks and breaches is not 100 percent fool-proof, so we can only hope that big techs have instituted the mitigating measures of data-centric security applied directly to data in case that sensitive information falls into the wrong hands.”

Story via Forbes