At a glance.

  • Twitter investigates apparent data breach.
  • LockBit holds Canadian town’s data hostage.
  • Indian grocery’s customer delivery data exposed.
  • Third-party breach affects Smithsonian data.

The “devil” may be in the Twitter details.

A hacker who goes by the handle “devil” has posted data he claims is connected to 5.4 million Twitter user accounts, the Record by Recorded Future reports. He’s offering the data for sale on hacking site BreachForums for a cool $30,000, and according to devil, the stolen data include emails and phone numbers of “celebrities, companies, randoms, OGs, etc.” Researchers say the data are linked to a vulnerability discovered on Twitter’s platform last January that would allow a hacker to search for a twitter account by its phone number or email even if the user has the necessary privacy settings turned on. “Zhirinovskiy,” the researcher who detected the bug, explains, “The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.” (“Zhirinovsky” is also a nom-de-hack, probably an homage to the since-deceased, fanatically nationalist Russian politician Vladimir Volfovich Zhirinovsky.)

9to5Mac adds that even suspended accounts are accessible. Twitter was informed of the issue upon detection and shortly thereafter stated it had been resolved, but apparently not before devil or an associate was able to extract the data that are now being offered for sale. A Twitter spokesperson stated, “We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this. We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”

Aaron Sandeen, CEO and co-founder, Cyber Security Works, notes that even the big operations can be afflicted by vulnerabilities. 

“This latest Twitter incident is unfortunate, but it’s nothing new to those of us who work in vulnerability management. What makes this breach stand out is that it was one of the most prominent tech companies, but vulnerabilities don’t discriminate and are consistently leaving millions of people at risk. This situation highlights the delayed reactions organizations have when it comes to reporting or remediating vulnerabilities in the products they create or depend on to operate.

“It is crucial that organizations and enterprises are aware of the vulnerabilities that threat groups and attackers exploit, and curate a plan to patch them. Knowing how vulnerable you are to cyberattacks and evaluating your security posture through constant vulnerability management and proactive penetration testing is crucial to building more robust protection as new hacking groups emerge.”

LockBit holds data of Canadian town hostage.

Officials in the town of St. Marys, located in Ontario, Canada, first became aware that an attacker had locked and encrypted its internal server last Wednesday. On Friday, ransomware gang Lockbit boasted on its dark web portal that it had stolen 67 gigabytes of data from St. Marys, including confidential info and financial documents, and Global News reports that a St. Marys spokesperson has confirmed the incident was the work of the infamous hacker group. According to a timer on the Lockbit site, the town has until July 30 to meet the threat actors’ ransom demands, or else they’ll publish the sensitive data. It’s unclear how much money LockBit is asking for, but so far St. Marys has not given in. Mayor Al Strathdee explained, “We’re going to act on our legal advice. As well, we’re engaged with the [Ontario Provincial Police] and we’re waiting to take their advice and we will follow legal advice on all steps.”

Indian grocery’s customer delivery data exposed.

Indian supermarket chain Spinneys has disclosed that a security incident last week resulted in the exposure of customer data stored for its online delivery service. According to an email notification sent to customers, the compromised data include “the name, email address, mobile number, delivery address and previous online delivery details [products, delivery time and order value] of customers who used our online shopping channels.” The National adds that no banking details were exposed, as fortunately that information is not stored on the store’s servers. An investigation is ongoing and more details will be released to customers as they emerge.

Smithsonian data exposed in third-party data breach.

The Smithsonian’s National Zoo & Conservation Biology Institute released a statement on Friday confirming that institute data were exposed in a cybersecurity incident impacting digital marketing firm WordFly, which the institute uses for sending community email notifications. WorldFly suffered a ransomware attack earlier this month that shutdown its website and other services. A few days after the incident, WordFly confirmed that Smithsonian data had been exported as part of the attack, though WordFly says the attackers have deleted the information. “We will continue to monitor this situation and receive updates from WordFly and the forensic experts assisting them with this incident,” the Smithsonian’s statement adds.