Welcome to The Cybersecurity 202! More in the semiregular installment of, “How I would behave as a character in a movie or TV show”: A loved one is injured and dying, so I’m not just going to hold them, say “Stay with me!” and yell at other people for help. I’m calling 911.
Twitter’s latest hack is a big one
Below: A look at Chinese surveillance in the wake of crackdowns on protests, and Meta gets slapped with a major fine over data processing. First:
Twitter can’t stay out of regulators’ crosshairs
Already under elevated regulatory scrutiny since its purchase by Elon Musk, Twitter could be facing even more government oversight after the records of 235 million accounts and the emails connected to them have surfaced on an online forum.
The leak sets “the stage for anonymous handles to be linked to real-world identities,” my colleague Joseph Menn reports.
While the Federal Trade Commission declined to comment, it was already conducting an inquiry into whether Twitter had violated a deal promising to better protect user data. Recently, the FTC asked Twitter whether it still had the resources to comply with that consent decree after Musk’s dramatic personnel cuts.
Twitter has been facing more regulatory scrutiny on the international front, too, a situation set to intensify after the latest revelations.
The hacker who claimed credit for obtaining the data set advertised it for sale online on Dec. 23. The hacker said it contained 400 million records. Alon Gal, a co-founder of the Israeli security company Hudson Rock who spotted the posting, later put the number of affected users at 235 million.
“This database is going to be used by hackers, political hacktivists and of course governments to harm our privacy even further,” Gal said.
Wrote Joseph: “Those users at the least risk provided throwaway email addresses or ones not tied to them elsewhere. But even they could be subject to account takeover attempts, phishing or emailed threats.” Twitter didn’t respond to a request for comment about advice to its users.
The person who advertised the data claims that they were able to get the records in 2021 by using data-scraping methods via a since-patched vulnerability that Twitter disclosed in August 2022. Twitter said it learned of the vulnerability in January 2022.
It’s not the first time hackers appear to have exploited that vulnerability. In another incident, which appears to be a separate case, hackers in July 2022 were found selling 5.4 million Twitter account handles as well as their associated email addresses and phone numbers.
January 2022, by the way, was when Twitter fired its top two security officials, including Peiter “Mudge” Zatko. Zatko would later file a whistleblower complaint with the Securities and Exchange Commission alleging that Twitter was violating its 2011 consent decree, citing disastrous security and privacy missteps.
The hacker who posted the hundreds of millions of records last month has made additional claims, some of which couldn’t be independently verified, about celebrity names caught up in the leak. The hacker is seeking $200,000 for sale of the complete data set.
Gal’s firm tweeted that some of the claims look to be at least related to the overall breach.
“Piers Morgan, who appeared in the data samples provided by the Twitter hacker, just had his account hacked,” Hudson Rock tweeted. “This is likely not a coincidence: The reveal of the email address may have been just what the hacker needed to find passwords for the account, or social engineer his way.”
Regardless of who’s in the actual data set, the suspected size of the breach would put it on any list of some of the biggest in U.S. history.
In a coincidence of timing, the Irish Data Protection Commission had announced on Dec. 23 that it was investigating the breach that affected 5.4 million users — the same day the apparent second hacker posted the 235 million records.
In response to the emergence of the newest data set, the Irish Data Protection Commission said that it “will examine Twitter's compliance with data-protection law in relation to that security issue,” Chris Vallance of the BBC reported on Dec. 30.
U.S. regulators have also been watching developments at the company since Musk took over. “We are tracking recent developments at Twitter with deep concern,” the FTC said in response to privacy and security departures at the social media giant. “No CEO or company is above the law, and companies must follow our consent decrees.”
Musk has inspired lawmakers to issue warnings over his handling of the company, among them Sen. Edward J. Markey (D-Mass.), who got into a spat on Twitter with the company’s billionaire owner.
With Markey’s permission, The Post in November was able to create a “verified” impostor account posing as Markey. My colleague Geoffrey A. Fowler writes that he was able to impersonate Markey even after the company rolled out a new way to authenticate its paid “verified” accounts.
“It’s an absolute joke that Elon Musk, who prides himself on being a tech entrepreneur, can’t implement a functioning verification regime — except users aren’t laughing,” Markey said.
- “Twitter’s current leadership has failed to safeguard the platform from misinformation, failed to provide answers to my simple questions regarding their anti-fraud protocols, and failed to demonstrate an appreciation for the role that their platform plays in our democracy,” he said.
China protest crackdowns have seen intense use of surveillance
Protesters and human rights lawyers believe that Chinese authorities may have used cell tower data to find phones near areas that saw protests against China’s “zero covid” policies, leading to protesters being subjected to intense surveillance measures, Cate Cadell and Christian Shepherd report. China’s government hasn’t acknowledged that protesters have been arrested, and The Post couldn’t independently verify protesters’ accounts.
“[The police] seem to have used some modern technology, network technology, and they have collected a data pool of phone numbers of all the people involved in the incident,” said a lawyer with direct knowledge of protester cases who spoke on the condition of anonymity because of the matter’s sensitivity. “People have been called in for questioning one after another.”
Chinese authorities have deployed hundreds of millions of surveillance cameras, including cameras using facial recognition technology, in cities across the country. Police procurement documents also “include technology used to scrape and analyze cellphone data from hundreds of domestic and foreign apps,” Cate and Christian write.
Irish regulator fines Meta more than $400 million
The Irish Data Protection Commission (DPC) levied the $414 million fine against Facebook and Instagram over personal data processing for behavioral advertising, RTÉ Ireland’s Brian O’Donovan reports. The DPC investigated the companies after complaints that Facebook and Instagram, which are both owned by Meta, forced users to accept the terms of service and wouldn’t allow them to opt out of data processing associated with that.
Meta indicated that it plans to appeal. “We strongly believe our approach respects [the General Data Protection Regulation], and we're therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” a Meta spokesperson told the outlet. “These decisions do not prevent targeted or personalized advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising.”
- Brandon Pugh is now a policy director on the R Street Institute’s cybersecurity and emerging threats team. He was previously a senior fellow on that team.
Thanks for reading. See you tomorrow.
Gloss