An archive containing 487 million records of WhatsApp users was put up for sale last week on BreachForums, a well-known forum for the marketing and exchange of data from data breaches.
The database contains the mobile numbers of users updated to 2022 and relating to users from 84 countries, including Italy with 34 million records (second only to Egypt).
The malevolent actor behind the announcement told the CyberNews website that he plans to sell the archive data by country. For example, the US subset containing 32 million records is priced at $7,000, while data from users in England and Germany is $2,500 and $2,000, respectively.
The vendor provided Cybernews with a sample containing 1097 UK and 817 US user numbers in the shared sample, and the website’s experts verified its authenticity.
An attacker in possession of these archives could organize smishing (phishing via SMS) or vishing (phishing via telephone) attacks to carry out various types of fraud.
At the moment it is not clear how these records were obtained by the seller, it could be the exploitation of a flaw present in the platform as well as scraping activities by malicious actors. In this regard, I asked the cyber security expert Dario Fadda for an opinion.
“The data most likely comes from a large export that took place last summer, thanks to an as-yet-unknown vulnerability in the Twitter backend, which gave criminals the ability to download large amounts of personal data, including numbers of telephone, of the users of the social network.” Fadda explains. “Criminal processing of these data has made it possible to cross them with others obtained from scraping activities on Facebook, thus obtaining large collections of valid telephone numbers for Whatsapp which can be used for fraud of all kinds to the detriment of these last users.
However, in these hours another case is a source of concern for us insiders, I’m talking about the availability of 5.4 million Twitter accounts and more.
First things first, in late July, a malicious actor leaked the data of 5.4 million Twitter accounts obtained by exploiting a now fixed vulnerability in the popular social media platform.
The data was put up for sale on various forums used by criminal communities. In January, a report released on bug bounty platform HackerOne confirmed the discovery of a vulnerability that could be exploited by an attacker to find a Twitter account by phone number or associated email, even if the user chose to prevent it in the privacy options.
In August, the same Twitter firm confirmed that the data breach was caused by the same vulnerability.
Matters became more complicated this week when website 9to5mac.com said the platform’s confirmed data breach may be more serious than it initially claimed, this is because multiple threat actors exploited the same vulnerability to gain access to the valuable data.
Fonte: account Twitter @sonoclaudio
In fact, the 9to5Mac website reports the availability of different datasets containing the same information in a different format and offered by different vendors. According to a source on the website, the affected accounts are only those with the option “Discoverability | Let users who have your number find you on Twitter Phone option“enabled at the end of 2021 (hard to find option in Twitter settings).”
The archive viewed by 9to5Mac includes data belonging to Twitter users in the UK, most EU countries and parts of the US.
Experts speculate that multiple threat actors have accessed Twitter’s database and combined it with data from other security breaches, thereby creating ready-to-use data sets for criminal groups specializing in various types of fraud.
So far, a worrying situation but one we are used to, however a revealed detail opens the door to a disturbing scenario.
The security researcher known on Twitter as @chadloder told 9to5Mac that the datasets were created from a database of over 100 million email addresses (much larger than the initial archive of 5.4 million records confirmed by Twitter) by exploiting the aforementioned vulnerability in Twitter .
The researcher said he reached out to Twitter for comment, but the entire media relations team left the company, and ironically was reportedly “shut up” with the suspension of his account.
ChadLoder has released a larger dataset on the Mastodon platform, the data it contains is missing from the original archive that went on sale in August, demonstrating how much larger the data breach was.
Reading the announcement posted on the forum by the seller, I noticed that the same declares the availability of a separate archive containing about 1.4 million suspended accounts. This immediately seemed strange to me and I decided to confront my colleague @sonoclaudioalso surprised by the presence of this archive.
The question we asked was why months after the accounts were suspended, was the data still present in the database? The initial breach is dated 2021, while this new archive was disclosed a year later, despite having Twitter suspended accounts following the incident. How long does Twitter keep data? Are we faced with a violation of the European GDPR regulation for European users?
The timeline of the incident and the real size of the stolen data should certainly be clarified.
To date, we have only one certainty, the data of WhatsApp and Twitter users can potentially be used in phishing campaigns, targeted and on a large scale, and to carry out various types of fraud.
Be wary of messages or phone calls informing you of the suspension of your accounts or urging you to take urgent action.