Twitter claims that information of “millions” of people has been exposed because of fraudulent third-party applications. Among the data concerned, names, nicknames, emails and probably tweets. Same observation on the side of Facebook. According to the social network, millions of users are likely to have been affected.
On October 16, 2019, Bob Diachenko and Vinny Troia discovered a wide-open Elasticsearch server containing an unprecedented 4 billion user accounts spanning more than 4 terabytes of data.
A total count of unique people across all data sets reached more than 1.2 billion people, making this one of the largest data leaks from a single source organization in history. The leaked data contained names, email addresses, phone numbers, and profile information.
Only Android users are affected
Developers have used the SDK developed by a company called OneAudience to create apps that steal users’ data. Initially, they get an invitation to connect with their credentials from another platform. Like Twitter and Facebook, to avoid creating a new account.
A very common process but apparently very harmful. As a reminder, the creators of the application access in this way to some data of the user on the platform chosen for identification. Thanks to a flaw in the Android ecosystem. Malicious developers have been able to glean much more data than they had the right to. No iOS user seems to have been subject of this leak.
“Although we have no evidence to suggest that this has been used to take control of a Twitter account, it is possible that a person can do it,” warned Twitter on its blog this Monday.
The company OneAudience states that they have immediately deployed an update. To prevent the illegal collection of user data by developers. And states that the information in question has not been added to their database. OneAudience announces at the same time ending its SDK program.