Twitter
Company Details
Linkedin ID:
Website:
Employees number:
1,128
Number of followers:
1,574,846
NAICS:
5112
Industry Type:
Homepage:
x.com
IP Addresses:
0
Company ID:
TWI_2435611
Scan Status:
In-progress
Twitter Company CyberSecurity Posture
x.com
Life’s not about a job, it’s about purpose. We believe real change starts with conversation. Here, your voice matters. Come as you are and together we’ll do what’s right (not what’s easy) to serve the public conversation.
Twitter A.I CyberSecurity Scoring
Twitter Risk Score (AI oriented)Between 0 and 549
Twitter
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Twitter Global Score (TPRM)XXXX
Twitter
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Twitter Company CyberSecurity News & History
Past Incidents
16
Attack Types
4
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The attack had been described as the biggest hack in the social media platform’s history. It compromised 130 Twitter accounts, including 45 that send a tweet claiming that anyone who transferred money to a linked Bitcoin address could double their investment. The Twitter accounts of several high-profile figures, including Microsoft’s co-founder Bill Gates and Tesla CEO Elon Musk, were hacked in a Bitcoin scam. The scammers behind the operation tricked 398 people into handing over more than £109,000 in bitcoins. Twitter described the incident as a coordinated social engineering attack against employees with access to its internal tools.
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A seller has apparently listed data realted to 400 million Twitter users for sale. The data, that were allegedly scraped due to a vulnerability, included email, name, username, follower_count, creation_date, and phone_number. The seller demanded $276 million USD in GDPR breach fines from Twitter to buy the stolen data exclusively.
Breach
Rankiteo Explanation
Attack threatening the economy of a geographical region
Description: Twitter suffered a data breach incident after a threat actor compiled a list of 5.4 million user account profiles by exploiting a now-patched zero-day vulnerability that was used to link email addresses and phone numbers to users' accounts. This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the related account ID. The threat actor verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, location, profile picture URL, and other information, and sold the data for $30,000.
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A massive breach involving an ex-employee leaked detailed user profile data from roughly 2.87 billion Twitter accounts, combining new and previously exposed information. The dataset includes user metadata like IDs, screen names, follower counts, and tweets, increasing risks of phishing and impersonation. Although no sensitive information such as email addresses was found in the new data, the merge with past breaches presents a comprehensive user profile view. Twitter has not acknowledged the breach, which stands as the second-largest in history.
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A data breach allegedly perpetrated by a disgruntile employee during a period of mass layoffs at Twitter may have resulted in the leakage of profile metadata from up to 2.87 billion users. While the breach does not contain email addresses, the merged dataset from the 2025 leak combined with a previous 2023 leak does, enabling potential phishing attacks and privacy violations. The lack of an official response from Twitter raises concerns about the extent of compromised user data and corporate accountability.
Twitter/X
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Twitter/X (now rebranded as X) suffered a **massive distributed denial-of-service (DDoS) attack** on **March 10, 2025**, orchestrated by the **Rapper Bot botnet**, operated by Ethan J. Foltz and an unidentified co-conspirator. The attack, exceeding **two terabits per second**, caused **intermittent global outages**, disrupting services for millions of users. The botnet, comprising **tens of thousands of hacked IoT devices**, overwhelmed Twitter/X’s infrastructure, leading to **downtime, financial losses from mitigation efforts (estimated between $500–$10,000 per attack at scale), and reputational damage**. While no data breach occurred, the attack demonstrated the platform’s vulnerability to **extortion-driven cybercrime**, as Rapper Bot was primarily rented to **online extortionists targeting gambling operations and businesses**. The incident also highlighted the broader threat of **DDoS-for-hire services**, which exploit weak IoT security to cripple high-profile targets. Twitter/X’s outage, though temporary, underscored the **operational and financial risks** posed by large-scale DDoS attacks, particularly when leveraged for **criminal extortion schemes**.
Twitter (now X Corp)
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation:
Description: In July 2020, Twitter suffered a high-profile breach orchestrated by Joseph James O'Connor ('PlugwalkJoe') and accomplices, who exploited **SIM-swapping and social engineering** to gain access to internal admin tools. The attackers hijacked verified accounts of prominent figures (e.g., Barack Obama, Bill Gates, Jeff Bezos) to post fraudulent Bitcoin scam tweets, netting over **$100,000 in hours**. Beyond financial fraud, the breach enabled unauthorized access to **private direct messages (DMs)**, extortion of victims, and threats against celebrities. The incident exposed critical vulnerabilities in Twitter’s **identity verification and internal controls**, eroding user trust and prompting regulatory scrutiny. While no large-scale data leak of user credentials occurred, the reputational damage was severe, compounded by the platform’s role in facilitating high-profile scams. The UK’s **£4.11 million ($5.39M) asset seizure** from O’Connor—via civil recovery orders—highlights the breach’s financial and legal fallout, including cross-border enforcement actions. The attack underscored risks of **insider tool abuse** and **account takeover (ATO) via telecom exploits**, though no ransomware or systemic outages were reported.
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Twitter was targeted by a cyber attack in July 2022. Influencers, celebrities, politicians, journalists, activists,government and private organizations was the prime target. Hackers hacked the Verified Twitter accounts to send fake suspension notices.
X (formerly Twitter)
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The sophisticated RapperBot botnet campaign targeted digital video recorders (DVRs) worldwide, exploiting vulnerable IoT devices to execute large-scale DDoS attacks. The campaign, a variant of the Mirai malware, compromised DVR systems to gain unauthorized access to surveillance cameras, leading to significant privacy and security issues. The attack on X (formerly Twitter) on March 10, 2025, caused a service disruption, demonstrating the malware's persistence and evolution over three years. The attackers exploited weak default passwords and infrequent firmware updates in DVRs, making them ideal for long-term botnet recruitment. The campaign's reach was amplified by targeting DVRs manufactured by Korean OEM ITX Security, distributed across multiple brands.
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: On Monday, Twitter experienced multiple worldwide outages attributed to DDoS attacks by the Dark Storm hacktivist group. While not explicitly confirmed by owner Elon Musk, it is suggested that Twitter was the target of a 'massive cyberattack', likely due to political motivations by the pro-Palestinian group. Users were presented with a Cloudflare captcha due to the DDoS protections put in place. This incident caused significant disruption to Twitter's services, impacting users globally. The financial implications and potential loss of user trust could harm Twitter's reputation, albeit temporarily.
Data Leak
Rankiteo Explanation
Attack limited on finance or reputation
Description: Twitter experienced another security incident. The business users’ billing information was inadvertently stored in the browser’s cache, and others, those who share computers, could have accessed it. That data includes the business users’ email addresses, phone numbers, and the last four digits of their credit card numbers associated with the account.
Data Leak
Rankiteo Explanation
Attack limited on finance or reputation
Description: Twitter suffered a data breach incident, vine users of a bug that exposed their email addresses and, in some cases, phone numbers to third parties. In addition, it warns impacted users to be wary of any communications coming from unfamiliar senders. Twitter asked users to do not need to reset passwords on their Vine accounts, but should be aware that any official communications from Vine will come from an @twitter.com email address. Twitter never ask you via email to open an attachment or request your password.
Data Leak
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Twitter gave an update on the investigation it initiated after discovering that the personal information of 200 million users was being sold online. There is no proof that the data were obtained through breaking into the company's systems. Since the 200 million dataset was not collected by abusing Twitter's servers, it was unable to be correlated with the previously disclosed incident. The business emphasised that the vast amount of data is probably a component of a publicly accessible dataset that comes from various sources. Based on data and intelligence analysed to look into the matter, there is no proof that the information being sold online was obtained through abusing a flaw in Twitter's infrastructure.
Data Leak
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Twitter has advised all of its 330 million+ users to update their passwords following the discovery of a fault that left them in plain text on internal servers. The number of impacted accounts was not disclosed by the company, but Reuters was informed by a source familiar with the company's response that it was a sizable number. According to the corporation, over 330 million people have been affected, and just one internal system had plain text data kept on it. Twitter declared that the security flaw had been resolved and that an internal inquiry had been launched to determine whether insiders had misused user data.
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Twitter experienced a new security vulnerability that exposed the direct messages of users who access the service using Android devices. The vulnerability exposed the private data of Twitter users running devices with Android OS versions 8 and 9. This vulnerability could allow an attacker, through a malicious app installed on device, to access private Twitter data on people's device by working around Android system permissions that protect against this.
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: A bug in Twitter about how it handles password reminders allowed users to take control of other accounts such as @emoji and @god. Usually if a user went to reset a password, it would partially asterisking the mail out, however this time it displayed the full email address tied to it. This allowed hackers to hijack many accounts and tweet on their behalf, but majority of accounts that were soon taken over were restored to normal.
Twitter Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Twitter
Incidents vs Software Development Industry Average (This Year)
Twitter has 830.23% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Twitter has 525.0% more incidents than the average of all companies with at least one recorded incident.
Incident Types Twitter vs Software Development Industry Avg (This Year)
Twitter reported 4 incidents this year: 3 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
Incident History — Twitter (X = Date, Y = Severity)
Twitter cyber incidents detection timeline including parent company and subsidiaries
Twitter Company Subsidiaries
Life’s not about a job, it’s about purpose. We believe real change starts with conversation. Here, your voice matters. Come as you are and together we’ll do what’s right (not what’s easy) to serve the public conversation.
Loading...
Twitter Similar Companies
NetSuite
Founded in 1998, Oracle NetSuite is the world’s first cloud company. For more than 25 years, NetSuite has helped businesses gain the insight, control, and agility to build and grow a successful business. First focused on financials and ERP, we now provide an AI-powered unified business system that
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
Booking.com
A career at Booking.com is all about the journey, helping you explore new challenges in a place where you can be your best self. With plenty of exciting twists, turns and opportunities along the way. We’ve always been pioneers, on a mission to shape the future of travel through cutting edge techno
Dassault Systèmes
Dassault Systèmes is a catalyst for human progress. Since 1981, the company has pioneered virtual worlds to improve real life for consumers, patients and citizens. With Dassault Systèmes’ 3DEXPERIENCE platform, 370,000 customers of all sizes, in all industries, can collaborate, imagine and create
Meituan
Adhering to the ‘Retail + Technology’ strategy, Meituan commits to its mission that 'We help people eat better, live better'. Since its establishment in March 2010, Meituan has advanced the digital upgrading of services and goods retail on both supply and demand sides. Together with our partners we
SAP is the leading enterprise application and business AI company. We stand at the intersection of business and technology, where our innovations are designed to directly address real business challenges and produce real-world impacts. Our solutions are the backbone for the world’s most complex and
Cox Automotive Inc.
Cox Automotive is the world’s largest automotive services and technology provider. Fueled by the largest breadth of first-party data fed by 2.3 billion online interactions a year, Cox Automotive tailors leading solutions for car shoppers, auto manufacturers, dealers, lenders and fleets. The company
Pitney Bowes is a technology-driven products and services company that provides SaaS shipping solutions, mailing innovation, and financial services to clients around the world – including more than 90 percent of the Fortune 500. Small businesses to large enterprises, and government entities rely on
More than one billion people around the world use Instagram, and we’re proud to be bringing them closer to the people and things they love. Instagram inspires people to see the world differently, discover new interests, and express themselves. Since launching in 2010, our community has grown at a r
.png)
Twitter CyberSecurity News
November 24, 2025 08:00 AM
How To Hide Your Country Location on X (Twitter) by Switching to Region
X (formerly known as Twitter) has added a new location detail in its account transparency section. It shows where an account is based and...
October 31, 2025 07:00 AM
KRA’s X Account Hacked Amidst National Cybersecurity Week
The Kenya Revenue Authority (KRA) official X account (formerly Twitter) has been compromised by unknown hackers.
October 28, 2025 07:00 AM
Cybersecurity News: Atlas browser hijacked, Bye, bye Twitter birdie, Dante spyware surfaces
If a user pastes one of these crafted URLs into the omnibox, Atlas interprets the input as trusted user intent, allowing attackers to redirect...
October 28, 2025 07:00 AM
PSA: X users have until November 10 to re-enroll their security keys
If you're a former Twitter user still using X and rely on a hardware security key for your two-factor authentication (2FA) method,...
October 28, 2025 07:00 AM
X to Phase Out Twitter Domain - Users Advised to Re-enroll in 2FA Keys
Social media platform X announced that it will stop supporting the old Twitter.com website for two-factor authentication (2FA) by November...
October 27, 2025 05:21 AM
Twitter to lock down accounts using security keys and TCS and Marks and Spencer Cyber Attack disputes
Twitter to Lock Down Accounts Using Hardware Security Keys for Two-Factor Authentication (2FA). All X (formerly Twitter) users are now being notified about...
October 12, 2025 07:00 AM
1,166 Women In Cybersecurity We Follow On Twitter, And You Should Too
Mwite @magwite techie, security evangelist, Christ-follower, Whovian, wannabe supermom. Advocate for women in tech & victims of Domestic...
September 05, 2025 07:00 AM
Scammers Exploit Grok AI With Video Ad Scam to Push Malware on X
Researchers at Guardio Labs have uncovered a new “Grokking” scam where attackers trick Grok AI into spreading malicious links on X. Learn...
September 04, 2025 07:09 PM
X Twitter users face Grokking Malware Attack
X Twitter users face Grokking Malware Attack ... Users of X (formerly known as Twitter) are being urged to exercise caution as a new wave of cyberattacks is...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Twitter CyberSecurity History Information
Official Website of Twitter
The official website of Twitter is https://twitter.com.
Twitter’s AI-Generated Cybersecurity Score
According to Rankiteo, Twitter’s AI-generated cybersecurity score is 320, reflecting their Critical security posture.
How many security badges does Twitter’ have ?
According to Rankiteo, Twitter currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Twitter have SOC 2 Type 1 certification ?
According to Rankiteo, Twitter is not certified under SOC 2 Type 1.
Does Twitter have SOC 2 Type 2 certification ?
According to Rankiteo, Twitter does not hold a SOC 2 Type 2 certification.
Does Twitter comply with GDPR ?
According to Rankiteo, Twitter is not listed as GDPR compliant.
Does Twitter have PCI DSS certification ?
According to Rankiteo, Twitter does not currently maintain PCI DSS compliance.
Does Twitter comply with HIPAA ?
According to Rankiteo, Twitter is not compliant with HIPAA regulations.
Does Twitter have ISO 27001 certification ?
According to Rankiteo,Twitter is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Twitter
Twitter operates primarily in the Software Development industry.
Number of Employees at Twitter
Twitter employs approximately 1,128 people worldwide.
Subsidiaries Owned by Twitter
Twitter presently has no subsidiaries across any sectors.
Twitter’s LinkedIn Followers
Twitter’s official LinkedIn profile has approximately 1,574,846 followers.
NAICS Classification of Twitter
Twitter is classified under the NAICS code 5112, which corresponds to Software Publishers.
Twitter’s Presence on Crunchbase
No, Twitter does not have a profile on Crunchbase.
Twitter’s Presence on LinkedIn
Yes, Twitter maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/twitter.
Cybersecurity Incidents Involving Twitter
As of December 04, 2025, Rankiteo reports that Twitter has experienced 16 cybersecurity incidents.
Number of Peer and Competitor Companies
Twitter has an estimated 27,191 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Twitter ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Data Leak, Cyber Attack and Breach.
What was the total financial impact of these incidents on Twitter ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $100 billion.
How does Twitter detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with restored affected accounts to normal, and communication strategy with warned users to be wary of unfamiliar communications and advised about official communications from @twitter.com email address., and containment measures with the security flaw has been resolved, and communication strategy with advised all users to update their passwords, and incident response plan activated with dod dcis investigation, incident response plan activated with fbi/federal law enforcement raid, incident response plan activated with telegram chat logs seized, and third party assistance with paypal (subpoenaed for payment records), third party assistance with google (subpoenaed for gmail/ip data), third party assistance with arizona isp (hosted control server), and and containment measures with arrest of ethan j. foltz, containment measures with seizure of botnet infrastructure, containment measures with disruption of rapper bot operations, and communication strategy with doj press release, communication strategy with krebsonsecurity reporting, communication strategy with public disclosure of arrest, and incident response plan activated with yes (twitter locked affected accounts, investigated internally), and third party assistance with us law enforcement (fbi), third party assistance with uk crown prosecution service (cps), third party assistance with spanish authorities (extradition), and law enforcement notified with yes (fbi led investigation, cps handled uk asset recovery), and containment measures with account lockdowns, containment measures with revoking admin access, containment measures with password resets, and remediation measures with enhanced mfa for employees, remediation measures with internal tool access restrictions, and communication strategy with public statements by twitter, communication strategy with victim notifications, communication strategy with cps press release (2023-11-14), and enhanced monitoring with likely (post-breach security upgrades)..
Incident Details
Can you provide details on each incident ?
Title: Twitter Password Reset Vulnerability
Description: A bug in Twitter's password reminder system allowed users to take control of other accounts by displaying the full email address tied to the account.
Type: Account Takeover
Attack Vector: Password Reset Exploit
Vulnerability Exploited: Password reminder bug
Threat Actor: Hackers
Motivation: Account Takeover
Title: Twitter Data Breach Incident
Description: Twitter suffered a data breach incident after a threat actor compiled a list of 5.4 million user account profiles by exploiting a now-patched zero-day vulnerability that was used to link email addresses and phone numbers to users' accounts.
Type: Data Breach
Attack Vector: Zero-day vulnerability
Vulnerability Exploited: Vulnerability allowing linkage of email addresses and phone numbers to Twitter accounts
Motivation: Data scraping and selling
Title: Twitter Verified Accounts Hack
Description: Twitter was targeted by a cyber attack in July 2022. Influencers, celebrities, politicians, journalists, activists, government and private organizations were the prime targets. Hackers hacked the Verified Twitter accounts to send fake suspension notices.
Date Detected: 2022-07-01
Type: Account Hacking
Attack Vector: Social Engineering
Title: Twitter Vine Data Breach
Description: Twitter suffered a data breach incident, exposing email addresses and, in some cases, phone numbers of Vine users to third parties. It warns impacted users to be wary of any communications coming from unfamiliar senders. Twitter asked users not to reset passwords on their Vine accounts, but should be aware that any official communications from Vine will come from an @twitter.com email address. Twitter never ask you via email to open an attachment or request your password.
Type: Data Breach
Vulnerability Exploited: Bug in Vine
Title: Twitter Data Breach
Description: A seller has listed data related to 400 million Twitter users for sale. The data, allegedly scraped due to a vulnerability, included email, name, username, follower_count, creation_date, and phone_number. The seller demanded $276 million USD in GDPR breach fines from Twitter to buy the stolen data exclusively.
Type: Data Breach
Attack Vector: Scraping
Vulnerability Exploited: Data Scraping Vulnerability
Threat Actor: Unknown Seller
Motivation: Financial Gain
Title: Twitter Billing Information Exposure
Description: Twitter experienced a security incident where business users’ billing information was inadvertently stored in the browser’s cache. This data includes email addresses, phone numbers, and the last four digits of their credit card numbers associated with the account.
Type: Data Breach
Attack Vector: Inadvertent Storage in Browser Cache
Vulnerability Exploited: Browser Cache Storage
Title: Twitter Bitcoin Scam
Description: A coordinated social engineering attack against Twitter employees with access to internal tools, resulting in the compromise of 130 Twitter accounts and a Bitcoin scam.
Type: Social Engineering Attack
Attack Vector: Social Engineering
Vulnerability Exploited: Internal Tools Access
Motivation: Financial Gain
Title: Twitter Android Direct Message Vulnerability
Description: Twitter experienced a new security vulnerability that exposed the direct messages of users who access the service using Android devices. The vulnerability exposed the private data of Twitter users running devices with Android OS versions 8 and 9. This vulnerability could allow an attacker, through a malicious app installed on the device, to access private Twitter data on people's device by working around Android system permissions that protect against this.
Type: Vulnerability
Attack Vector: Malicious App
Vulnerability Exploited: Android system permissions bypass
Motivation: Data Theft
Title: Twitter Data Breach Incident
Description: Twitter discovered that the personal information of 200 million users was being sold online. There is no evidence that the data was obtained through a breach of the company's systems. The data is likely part of a publicly available dataset from various sources.
Type: Data Breach
Title: Twitter Password Exposure Incident
Description: Twitter has advised all of its 330 million+ users to update their passwords following the discovery of a fault that left them in plain text on internal servers.
Type: Data Breach
Vulnerability Exploited: Internal system flaw exposing plain text passwords
Title: Twitter DDoS Attack by Dark Storm
Description: On Monday, Twitter experienced multiple worldwide outages attributed to DDoS attacks by the Dark Storm hacktivist group. While not explicitly confirmed by owner Elon Musk, it is suggested that Twitter was the target of a 'massive cyberattack', likely due to political motivations by the pro-Palestinian group. Users were presented with a Cloudflare captcha due to the DDoS protections put in place. This incident caused significant disruption to Twitter's services, impacting users globally. The financial implications and potential loss of user trust could harm Twitter's reputation, albeit temporarily.
Type: DDoS Attack
Attack Vector: Distributed Denial of Service (DDoS)
Threat Actor: Dark Storm hacktivist group
Motivation: Political motivationsPro-Palestinian group
Title: Twitter Data Breach by Disgruntled Employee
Description: A data breach allegedly perpetrated by a disgruntled employee during a period of mass layoffs at Twitter may have resulted in the leakage of profile metadata from up to 2.87 billion users. While the breach does not contain email addresses, the merged dataset from the 2025 leak combined with a previous 2023 leak does, enabling potential phishing attacks and privacy violations. The lack of an official response from Twitter raises concerns about the extent of compromised user data and corporate accountability.
Type: Data Breach
Attack Vector: Insider Threat
Threat Actor: Disgruntled Employee
Motivation: Revenge/Malice
Title: Twitter Data Breach Involving 2.87 Billion Accounts
Description: A massive breach involving an ex-employee leaked detailed user profile data from roughly 2.87 billion Twitter accounts, combining new and previously exposed information. The dataset includes user metadata like IDs, screen names, follower counts, and tweets, increasing risks of phishing and impersonation. Although no sensitive information such as email addresses was found in the new data, the merge with past breaches presents a comprehensive user profile view. Twitter has not acknowledged the breach, which stands as the second-largest in history.
Type: Data Breach
Attack Vector: Internal Threat
Vulnerability Exploited: Unauthorized Access by Ex-Employee
Threat Actor: Ex-Employee
Title: RapperBot Botnet Campaign Targeting DVRs
Description: A sophisticated botnet campaign targeting digital video recorders (DVRs) has emerged as a significant threat to surveillance infrastructure worldwide, with cybercriminals exploiting vulnerable IoT devices to build massive botnets capable of large-scale distributed denial-of-service attacks.
Type: Botnet
Attack Vector: Compromised DVR systems
Vulnerability Exploited: Weak default passwords, infrequent firmware updates
Threat Actor: RapperBot operators
Motivation: Building botnets for DDoS attacks
Title: Rapper Bot Botnet DDoS Attacks and Arrest of Operator Ethan J. Foltz
Description: A 22-year-old Oregon man, Ethan J. Foltz, was arrested for operating 'Rapper Bot,' a massive botnet used to launch distributed denial-of-service (DDoS) attacks, including a March 2025 attack that knocked Twitter/X offline. The botnet, comprising tens of thousands of hacked IoT devices, was rented out to online extortionists, primarily targeting gambling operations in China. Foltz and an unidentified co-conspirator ('Slaykings') avoided law enforcement attention by refraining from attacking high-profile targets like KrebsOnSecurity. The botnet conducted over 370,000 attacks between April and August 2025, targeting 18,000 unique victims across 1,000 networks, with most victims in China, Japan, the U.S., Ireland, and Hong Kong. Foltz admitted to operating the botnet and wiping logs weekly to obscure evidence. The botnet's code was derived from 'fBot' (a variant of the Mirai botnet). Foltz faces charges of aiding and abetting computer intrusions, with a maximum penalty of 10 years in prison.
Date Publicly Disclosed: 2025-08-06
Type: Distributed Denial-of-Service (DDoS) Attack
Attack Vector: IoT Device ExploitationDDoS-for-Hire ServiceBotnet Malware (Rapper Bot, derived from fBot/Mirai)
Vulnerability Exploited: Unpatched IoT DevicesUnknown Zero-Day Exploit (mentioned in Telegram chats)
Threat Actor: Name: Ethan J. Foltz, Location: Springfield, Oregon, U.S., Role: Primary Operator of Rapper Bot, Name: Unknown (Slaykings), Alias: Slaykings, Role: Co-conspirator, Profit-Sharing Partner.
Motivation: Financial Gain (DDoS-for-Hire)Avoiding Law Enforcement DetectionExtortion of Online Businesses (e.g., Chinese Gambling Operations)
Title: Twitter Celebrity Account Hijacking and Cryptocurrency Scam (2020)
Description: British prosecutors secured a civil recovery order to seize £4.11 million ($5.39 million) in crypto assets from Joseph James O'Connor (aka 'PlugwalkJoe'), linked to the July 2020 Twitter breach. The attack involved SIM-swapping and social engineering to hijack high-profile accounts (e.g., Barack Obama, Bill Gates, Jeff Bezos) and solicit Bitcoin via fraudulent tweets, netting over $100,000. O'Connor also accessed private messages, extorted victims, and threatened celebrities using compromised Twitter admin tools. He was sentenced to 5 years in the US (2023) for conspiracy, wire fraud, and money laundering. The UK's civil recovery order targets additional assets under proceeds-of-crime legislation.
Date Detected: 2020-07
Date Publicly Disclosed: 2020-07-15
Type: Account Takeover
Attack Vector: SIM-SwappingSocial EngineeringCompromised Internal Tools (Twitter Admin Panel)
Vulnerability Exploited: Weak Multi-Factor Authentication (MFA) on Twitter Employee AccountsSocial Engineering of Mobile CarriersInsider Tool Abuse
Threat Actor: Joseph James O'Connor (aka 'PlugwalkJoe') and accomplices
Motivation: Financial GainExtortionReputation Damage
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Zero-day vulnerability, Weak default passwords, infrequent firmware updates, Exploited IoT DevicesUnknown Zero-Day (mentioned in chats) and SIM-Swapping (Mobile Carrier Compromise).
Impact of the Incidents
What was the impact of each incident ?
Incident : Account Takeover TWI13217522
Systems Affected: Twitter Accounts
Brand Reputation Impact: Negative
Incident : Data Breach TWI0499822
Data Compromised: Email addresses, Phone numbers, User account profiles, Follower counts, Screen name, Login name, Location, Profile picture url
Incident : Account Hacking TWI223419822
Data Compromised: Verified twitter accounts
Incident : Data Breach TWI112727922
Data Compromised: Email addresses, Phone numbers
Incident : Data Breach TWI2247261222
Data Compromised: Email, Name, Username, Follower_count, Creation_date, Phone_number
Incident : Data Breach TWI19516123
Data Compromised: Email addresses, Phone numbers, Last four digits of credit card numbers
Incident : Social Engineering Attack TWI20013123
Financial Loss: £109,000
Data Compromised: Twitter Accounts
Incident : Vulnerability TWI232926123
Data Compromised: Direct Messages
Systems Affected: Android devices with OS versions 8 and 9
Incident : Data Breach TWI1659131023
Data Compromised: Personal information of 200 million users
Incident : DDoS Attack TWI131031125
Systems Affected: Twitter's services
Downtime: Significant disruption to Twitter's services
Brand Reputation Impact: Potential loss of user trust and harm to Twitter's reputation
Incident : Data Breach TWI829032925
Data Compromised: Profile metadata
Brand Reputation Impact: Concerns about corporate accountability
Identity Theft Risk: Potential phishing attacks and privacy violations
Incident : Data Breach TWI602040125
Data Compromised: User ids, Screen names, Follower counts, Tweets
Brand Reputation Impact: Significant
Identity Theft Risk: High
Incident : Botnet TWI606062325
Systems Affected: DVR systems
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Financial Loss: Estimated $500–$10,000 per 2+ Tbps attack (30-second duration); cumulative losses across 370,000+ attacks unknown
Systems Affected: Twitter/X (March 10, 2025 outage)18,000 unique victims across 1,000 networksDoD Internet Addresses (targeted)
Downtime: ['Intermittent outages for Twitter/X', 'Variable downtime for 18,000 victims']
Operational Impact: Disruption of online services (e.g., gambling platforms)Potential extortion payments by victims
Brand Reputation Impact: Negative publicity for Twitter/XReputational damage to affected businesses (e.g., gambling sites)
Legal Liabilities: Potential extortion-related legal actions against victimsRegulatory scrutiny for affected entities
Incident : Account Takeover TWI2632126111725
Financial Loss: $100,000+ (from Bitcoin scam) + £4.11 million ($5.39 million) seized in crypto assets
Data Compromised: Private direct messages, Account credentials, High-profile user data
Systems Affected: Twitter Internal Admin ToolsCelebrity/High-Profile Accounts (e.g., Barack Obama, Bill Gates, Jeff Bezos)
Operational Impact: Temporary loss of control over high-profile Twitter accounts, reputational damage to Twitter
Customer Complaints: Likely high (scam victims, affected account holders)
Brand Reputation Impact: Severe (Twitter's security practices questioned, high-profile victims)
Legal Liabilities: US Sentence: 5 years + $794,000 forfeiture + restitutionUK Civil Recovery Order: £4.11 million seizure
Identity Theft Risk: High (SIM-swapping enabled account takeovers)
Payment Information Risk: Cryptocurrency wallets compromised
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $6.25 billion.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Email Addresses, Personal Information, , Email Addresses, Phone Numbers, , Email, Name, Username, Follower Count, Creation Date, Phone Number, , Email Addresses, Phone Numbers, Last Four Digits Of Credit Card Numbers, , Direct Messages, Personal information, Passwords, Profile Metadata, User Ids, Screen Names, Follower Counts, Tweets, , Private Direct Messages, Account Authentication Tokens, Contact Information and .
Which entities were affected by each incident ?
Incident : Account Takeover TWI13217522
Entity Name: Twitter
Entity Type: Social Media Platform
Industry: Technology
Location: Global
Incident : Data Breach TWI0499822
Entity Name: Twitter
Entity Type: Social Media Platform
Industry: Technology
Customers Affected: 5.4 million user accounts
Incident : Account Hacking TWI223419822
Entity Name: Twitter
Entity Type: Social Media Platform
Industry: Technology
Location: Global
Incident : Data Breach TWI112727922
Entity Name: Twitter
Entity Type: Social Media Company
Industry: Technology
Incident : Data Breach TWI2247261222
Entity Name: Twitter
Entity Type: Company
Industry: Social Media
Location: Global
Customers Affected: 400000000
Incident : Data Breach TWI19516123
Entity Name: Twitter
Entity Type: Social Media Company
Industry: Technology
Incident : Social Engineering Attack TWI20013123
Entity Name: Twitter
Entity Type: Company
Industry: Social Media
Customers Affected: 398
Incident : Vulnerability TWI232926123
Entity Name: Twitter
Entity Type: Social Media Platform
Industry: Technology
Incident : Data Breach TWI1659131023
Entity Name: Twitter
Entity Type: Social Media Platform
Industry: Technology
Customers Affected: 200 million users
Incident : Data Breach TWI421251223
Entity Name: Twitter
Entity Type: Company
Industry: Social Media
Size: 330 million+ users
Customers Affected: All 330 million+ users
Incident : DDoS Attack TWI131031125
Entity Name: Twitter
Entity Type: Social Media Platform
Industry: Technology
Location: Global
Customers Affected: Users globally
Incident : Data Breach TWI829032925
Entity Name: Twitter
Entity Type: Company
Industry: Technology
Customers Affected: Up to 2.87 billion users
Incident : Data Breach TWI602040125
Entity Name: Twitter
Entity Type: Company
Industry: Social Media
Customers Affected: 2870000000
Incident : Botnet TWI606062325
Entity Name: ITX Security
Entity Type: OEM
Industry: Security
Location: Korea
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Entity Name: Twitter/X
Entity Type: Social Media Platform
Industry: Technology/Social Media
Location: Global (HQ: San Francisco, California, U.S.)
Size: Large (Public Company)
Customers Affected: Millions (indirect impact due to outages)
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Entity Name: Unnamed Chinese Gambling Operations
Entity Type: Online Gambling Platforms
Industry: Gambling/Entertainment
Location: China
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Entity Name: U.S. Department of Defense (DoD)
Entity Type: Government Agency
Industry: Defense/Military
Location: United States
Size: Large
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Entity Name: 18,000 Unique Victims
Entity Type: Businesses, Organizations, Individuals
Industry: Various (primarily in China, Japan, U.S., Ireland, Hong Kong)
Location: Global
Incident : Account Takeover TWI2632126111725
Entity Name: Twitter (now X Corp)
Entity Type: Social Media Platform
Industry: Technology/Internet
Location: Global (HQ: San Francisco, USA)
Size: Large (thousands of employees, 300M+ users in 2020)
Customers Affected: High-profile users (celebrities, politicians, executives) + scam victims
Incident : Account Takeover TWI2632126111725
Entity Name: Victims of Bitcoin Scam
Entity Type: Individuals
Location: Global
Customers Affected: 100+ (estimated from $100K scam proceeds)
Incident : Account Takeover TWI2632126111725
Entity Name: Extortion/Threat Targets
Entity Type: Celebrities/High-Profile Individuals
Industry: Entertainment, Politics, Business
Location: Global
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Account Takeover TWI13217522
Remediation Measures: Restored affected accounts to normal
Incident : Data Breach TWI112727922
Communication Strategy: Warned users to be wary of unfamiliar communications and advised about official communications from @twitter.com email address.
Incident : Data Breach TWI421251223
Containment Measures: The security flaw has been resolved
Communication Strategy: Advised all users to update their passwords
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Incident Response Plan Activated: ['DoD DCIS Investigation', 'FBI/Federal Law Enforcement Raid', 'Telegram Chat Logs Seized']
Third Party Assistance: Paypal (Subpoenaed For Payment Records), Google (Subpoenaed For Gmail/Ip Data), Arizona Isp (Hosted Control Server).
Containment Measures: Arrest of Ethan J. FoltzSeizure of Botnet InfrastructureDisruption of Rapper Bot Operations
Communication Strategy: DoJ Press ReleaseKrebsOnSecurity ReportingPublic Disclosure of Arrest
Incident : Account Takeover TWI2632126111725
Incident Response Plan Activated: Yes (Twitter locked affected accounts, investigated internally)
Third Party Assistance: Us Law Enforcement (Fbi), Uk Crown Prosecution Service (Cps), Spanish Authorities (Extradition).
Law Enforcement Notified: Yes (FBI led investigation, CPS handled UK asset recovery)
Containment Measures: Account LockdownsRevoking Admin AccessPassword Resets
Remediation Measures: Enhanced MFA for EmployeesInternal Tool Access Restrictions
Communication Strategy: Public Statements by TwitterVictim NotificationsCPS Press Release (2023-11-14)
Enhanced Monitoring: Likely (post-breach security upgrades)
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as DoD DCIS Investigation, FBI/Federal Law Enforcement Raid, Telegram Chat Logs Seized, , Yes (Twitter locked affected accounts, investigated internally).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through PayPal (subpoenaed for payment records), Google (subpoenaed for Gmail/IP data), Arizona ISP (hosted control server), , US Law Enforcement (FBI), UK Crown Prosecution Service (CPS), Spanish Authorities (extradition), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Account Takeover TWI13217522
Type of Data Compromised: Email Addresses
Sensitivity of Data: Medium
Personally Identifiable Information: Email Addresses
Incident : Data Breach TWI0499822
Type of Data Compromised: Personal information
Number of Records Exposed: 5.4 million
Personally Identifiable Information: Email addressesPhone numbers
Incident : Data Breach TWI112727922
Type of Data Compromised: Email addresses, Phone numbers
Incident : Data Breach TWI2247261222
Type of Data Compromised: Email, Name, Username, Follower_count, Creation_date, Phone_number
Number of Records Exposed: 400000000
Personally Identifiable Information: emailnamephone_number
Incident : Data Breach TWI19516123
Type of Data Compromised: Email addresses, Phone numbers, Last four digits of credit card numbers
Personally Identifiable Information: email addressesphone numberslast four digits of credit card numbers
Incident : Vulnerability TWI232926123
Type of Data Compromised: Direct Messages
Incident : Data Breach TWI1659131023
Type of Data Compromised: Personal information
Number of Records Exposed: 200 million
Incident : Data Breach TWI421251223
Type of Data Compromised: Passwords
Number of Records Exposed: Sizable number, Over 330 million
Sensitivity of Data: High
Data Encryption: Plain text
Incident : Data Breach TWI829032925
Type of Data Compromised: Profile Metadata
Number of Records Exposed: Up to 2.87 billion
Incident : Data Breach TWI602040125
Type of Data Compromised: User ids, Screen names, Follower counts, Tweets
Number of Records Exposed: 2870000000
Sensitivity of Data: Medium
Data Exfiltration: Yes
Personally Identifiable Information: No sensitive information such as email addresses
Incident : Account Takeover TWI2632126111725
Type of Data Compromised: Private direct messages, Account authentication tokens, Contact information
Sensitivity of Data: High (private communications of celebrities/politicians)
Data Exfiltration: Yes (messages accessed, likely downloaded)
Personally Identifiable Information: Yes (linked to SIM-swapping)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Restored affected accounts to normal, Enhanced MFA for Employees, Internal Tool Access Restrictions, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by the security flaw has been resolved, arrest of ethan j. foltz, seizure of botnet infrastructure, disruption of rapper bot operations, , account lockdowns, revoking admin access, password resets and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach TWI2247261222
Ransom Demanded: 276000000
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach TWI2247261222
Regulations Violated: GDPR
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Regulations Violated: Computer Fraud and Abuse Act (CFAA), Potential Extortion Laws,
Legal Actions: Criminal Charges Against Ethan J. Foltz (1 count of aiding/abetting computer intrusions), Potential Extradition of Aaron Sterritt (fBot operator),
Regulatory Notifications: DoD DCIS InvolvementFBI Cyber Division
Incident : Account Takeover TWI2632126111725
Regulations Violated: Computer Fraud and Abuse Act (US), Wire Fraud (US), Money Laundering (US/UK), UK Proceeds of Crime Act,
Fines Imposed: ['$794,000 forfeiture (US)', '£4.11 million asset seizure (UK)']
Legal Actions: US Criminal Conviction (2023), UK Civil Recovery Order (2023-11-14),
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Criminal Charges Against Ethan J. Foltz (1 count of aiding/abetting computer intrusions), Potential Extradition of Aaron Sterritt (fBot operator), , US Criminal Conviction (2023), UK Civil Recovery Order (2023-11-14), .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Account Takeover TWI13217522
Lessons Learned: Ensure proper masking of sensitive information in password reset processes.
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Lessons Learned: Avoiding high-profile targets (e.g., KrebsOnSecurity) can prolong botnet longevity., Regular log-wiping can hinder investigations but is not foolproof., Botnet operators prioritize 'Goldilocks' size to balance power and stealth., DDoS-for-hire services enable low-effort, high-impact cybercrime., IoT device security remains a critical vulnerability for large-scale attacks.
Incident : Account Takeover TWI2632126111725
Lessons Learned: SIM-swapping remains a critical vector for high-impact account takeovers, Internal admin tools require stricter access controls and monitoring, Celebrity/high-profile accounts need additional protection layers, Cross-border collaboration is essential for prosecuting cybercriminals, Cryptocurrency tracing enables asset recovery post-conviction
What recommendations were made to prevent future incidents ?
Incident : Account Takeover TWI13217522
Recommendations: Implement robust security measures to prevent unauthorized access to account information.
Incident : Data Breach TWI112727922
Recommendations: Users should be cautious of unfamiliar communications and verify the authenticity of official communications.
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Recommendations: Strengthen IoT device security (e.g., default credential changes, patch management)., Monitor for unusual traffic patterns (e.g., 2+ Tbps spikes)., Implement DDoS mitigation strategies (e.g., overprovisioning, scrubbing services)., Collaborate with law enforcement to disrupt botnet infrastructure., Avoid paying extortion demands to discourage DDoS-for-hire markets.Strengthen IoT device security (e.g., default credential changes, patch management)., Monitor for unusual traffic patterns (e.g., 2+ Tbps spikes)., Implement DDoS mitigation strategies (e.g., overprovisioning, scrubbing services)., Collaborate with law enforcement to disrupt botnet infrastructure., Avoid paying extortion demands to discourage DDoS-for-hire markets.Strengthen IoT device security (e.g., default credential changes, patch management)., Monitor for unusual traffic patterns (e.g., 2+ Tbps spikes)., Implement DDoS mitigation strategies (e.g., overprovisioning, scrubbing services)., Collaborate with law enforcement to disrupt botnet infrastructure., Avoid paying extortion demands to discourage DDoS-for-hire markets.Strengthen IoT device security (e.g., default credential changes, patch management)., Monitor for unusual traffic patterns (e.g., 2+ Tbps spikes)., Implement DDoS mitigation strategies (e.g., overprovisioning, scrubbing services)., Collaborate with law enforcement to disrupt botnet infrastructure., Avoid paying extortion demands to discourage DDoS-for-hire markets.Strengthen IoT device security (e.g., default credential changes, patch management)., Monitor for unusual traffic patterns (e.g., 2+ Tbps spikes)., Implement DDoS mitigation strategies (e.g., overprovisioning, scrubbing services)., Collaborate with law enforcement to disrupt botnet infrastructure., Avoid paying extortion demands to discourage DDoS-for-hire markets.
Incident : Account Takeover TWI2632126111725
Recommendations: Implement hardware-based MFA for all employees (especially those with admin access), Monitor for SIM-swap indicators (e.g., sudden carrier changes), Segment internal tools to limit lateral movement, Conduct regular red-team exercises targeting social engineering vectors, Establish cross-jurisdictional legal frameworks for asset recoveryImplement hardware-based MFA for all employees (especially those with admin access), Monitor for SIM-swap indicators (e.g., sudden carrier changes), Segment internal tools to limit lateral movement, Conduct regular red-team exercises targeting social engineering vectors, Establish cross-jurisdictional legal frameworks for asset recoveryImplement hardware-based MFA for all employees (especially those with admin access), Monitor for SIM-swap indicators (e.g., sudden carrier changes), Segment internal tools to limit lateral movement, Conduct regular red-team exercises targeting social engineering vectors, Establish cross-jurisdictional legal frameworks for asset recoveryImplement hardware-based MFA for all employees (especially those with admin access), Monitor for SIM-swap indicators (e.g., sudden carrier changes), Segment internal tools to limit lateral movement, Conduct regular red-team exercises targeting social engineering vectors, Establish cross-jurisdictional legal frameworks for asset recoveryImplement hardware-based MFA for all employees (especially those with admin access), Monitor for SIM-swap indicators (e.g., sudden carrier changes), Segment internal tools to limit lateral movement, Conduct regular red-team exercises targeting social engineering vectors, Establish cross-jurisdictional legal frameworks for asset recovery
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Ensure proper masking of sensitive information in password reset processes.Avoiding high-profile targets (e.g., KrebsOnSecurity) can prolong botnet longevity.,Regular log-wiping can hinder investigations but is not foolproof.,Botnet operators prioritize 'Goldilocks' size to balance power and stealth.,DDoS-for-hire services enable low-effort, high-impact cybercrime.,IoT device security remains a critical vulnerability for large-scale attacks.SIM-swapping remains a critical vector for high-impact account takeovers,Internal admin tools require stricter access controls and monitoring,Celebrity/high-profile accounts need additional protection layers,Cross-border collaboration is essential for prosecuting cybercriminals,Cryptocurrency tracing enables asset recovery post-conviction.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Users should be cautious of unfamiliar communications and verify the authenticity of official communications., Monitor for SIM-swap indicators (e.g., sudden carrier changes), Establish cross-jurisdictional legal frameworks for asset recovery, Implement hardware-based MFA for all employees (especially those with admin access), Implement robust security measures to prevent unauthorized access to account information., Conduct regular red-team exercises targeting social engineering vectors and Segment internal tools to limit lateral movement.
References
Where can I find more information about each incident ?
Incident : Data Breach TWI421251223
Source: Reuters
Incident : Botnet TWI606062325
Source: NICTER analysts
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Source: KrebsOnSecurity
URL: https://krebsonsecurity.com
Date Accessed: 2025-08-06
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Source: U.S. Department of Justice (DoJ) Criminal Complaint
Date Accessed: 2025-08-06
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Source: Defense Criminal Investigative Service (DCIS)
Date Accessed: 2025-08-06
Incident : Account Takeover TWI2632126111725
Source: The Register
URL: https://www.theregister.com/2023/11/20/twitter_hacker_uk_asset_seizure/
Date Accessed: 2023-11-20
Incident : Account Takeover TWI2632126111725
Source: US Department of Justice
Date Accessed: 2023-06-23
Incident : Account Takeover TWI2632126111725
Source: UK Crown Prosecution Service
URL: https://www.cps.gov.uk/cps/news/cyber-criminal-loses-ps41m-profits-twitter-hack
Date Accessed: 2023-11-14
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Reuters, and Source: NICTER analysts, and Source: KrebsOnSecurityUrl: https://krebsonsecurity.comDate Accessed: 2025-08-06, and Source: U.S. Department of Justice (DoJ) Criminal ComplaintDate Accessed: 2025-08-06, and Source: Defense Criminal Investigative Service (DCIS)Url: https://www.dcis.dod.milDate Accessed: 2025-08-06, and Source: The RegisterUrl: https://www.theregister.com/2023/11/20/twitter_hacker_uk_asset_seizure/Date Accessed: 2023-11-20, and Source: US Department of JusticeUrl: https://www.justice.gov/usao-sdny/pr/uk-national-sentenced-five-years-prison-hacking-twitter-accounts-and-conducting-simDate Accessed: 2023-06-23, and Source: UK Crown Prosecution ServiceUrl: https://www.cps.gov.uk/cps/news/cyber-criminal-loses-ps41m-profits-twitter-hackDate Accessed: 2023-11-14.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach TWI1659131023
Investigation Status: Ongoing
Incident : Data Breach TWI421251223
Investigation Status: Internal inquiry launched to determine whether insiders had misused user data
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Investigation Status: Ongoing (Foltz arrested; Slaykings at large; botnet disrupted)
Incident : Account Takeover TWI2632126111725
Investigation Status: Closed (US criminal case concluded; UK civil recovery order executed)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Warned users to be wary of unfamiliar communications and advised about official communications from @twitter.com email address., Advised all users to update their passwords, Doj Press Release, Krebsonsecurity Reporting, Public Disclosure Of Arrest, Public Statements By Twitter, Victim Notifications and Cps Press Release (2023-11-14).
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach TWI112727922
Customer Advisories: Warned users to be wary of unfamiliar communications and advised about official communications from @twitter.com email address.
Incident : Data Breach TWI421251223
Customer Advisories: All users advised to update their passwords
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Stakeholder Advisories: Dod Entities Targeted By Rapper Bot, Online Businesses (Especially Gambling Platforms) Warned About Extortion Risks.
Customer Advisories: Twitter/X users notified of March 2025 outageGeneral public advised on IoT security best practices
Incident : Account Takeover TWI2632126111725
Stakeholder Advisories: Twitter Security Updates (2020), Fbi Cyber Division Alerts, Cps Proceeds Of Crime Announcement.
Customer Advisories: Twitter Support Notifications to Affected Users (2020)Scam Victim Restitution (Ongoing)
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Warned users to be wary of unfamiliar communications and advised about official communications from @twitter.com email address., All users advised to update their passwords, Dod Entities Targeted By Rapper Bot, Online Businesses (Especially Gambling Platforms) Warned About Extortion Risks, Twitter/X Users Notified Of March 2025 Outage, General Public Advised On Iot Security Best Practices, , Twitter Security Updates (2020), Fbi Cyber Division Alerts, Cps Proceeds Of Crime Announcement, Twitter Support Notifications To Affected Users (2020), Scam Victim Restitution (Ongoing) and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach TWI0499822
Entry Point: Zero-day vulnerability
Incident : Account Hacking TWI223419822
High Value Targets: Influencers, Celebrities, Politicians, Journalists, Activists, Government, Private Organizations,
Data Sold on Dark Web: Influencers, Celebrities, Politicians, Journalists, Activists, Government, Private Organizations,
Incident : Botnet TWI606062325
Entry Point: Weak default passwords, infrequent firmware updates
Reconnaissance Period: Continuous refinement over three years
High Value Targets: DVRs manufactured by ITX Security
Data Sold on Dark Web: DVRs manufactured by ITX Security
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Entry Point: Exploited Iot Devices, Unknown Zero-Day (Mentioned In Chats),
High Value Targets: Chinese Gambling Operations, Dod Ip Addresses, Twitter/X,
Data Sold on Dark Web: Chinese Gambling Operations, Dod Ip Addresses, Twitter/X,
Incident : Account Takeover TWI2632126111725
Entry Point: SIM-Swapping (Mobile Carrier Compromise)
Reconnaissance Period: Weeks/Months (target selection, carrier research)
Backdoors Established: Twitter Admin Tool Access
High Value Targets: Celebrity Accounts, Politician Accounts, Executive Accounts,
Data Sold on Dark Web: Celebrity Accounts, Politician Accounts, Executive Accounts,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Account Takeover TWI13217522
Root Causes: Bug in password reminder system
Corrective Actions: Fix the bug and restore affected accounts
Incident : Data Breach TWI0499822
Root Causes: Zero-day vulnerability
Incident : Botnet TWI606062325
Root Causes: Weak default passwords, infrequent firmware updates
Incident : Distributed Denial-of-Service (DDoS) Attack TWI523082025
Root Causes: Poor Iot Device Security (Default Credentials, Unpatched Vulnerabilities)., Lack Of Ddos Mitigation Preparedness Among Victims., Profit-Driven Cybercriminal Ecosystem (Ddos-For-Hire)., Inadequate International Cooperation To Dismantle Botnets.,
Corrective Actions: Law Enforcement Takedown Of Rapper Bot Infrastructure., Public Awareness Campaigns On Iot Security., Encouragement Of Ddos Protection Services (E.G., Project Shield)., Pursuit Of Co-Conspirators (E.G., Slaykings, Aaron Sterritt).,
Incident : Account Takeover TWI2632126111725
Root Causes: Inadequate Mfa For Twitter Employee Accounts, Mobile Carrier Vulnerabilities (Sim-Swap Exploits), Overprivileged Internal Admin Tools, Lack Of Behavioral Monitoring For Anomalous Access,
Corrective Actions: Twitter Implemented Stricter Access Controls Post-Breach, Enhanced Mfa Requirements For Employees, Us/Uk Law Enforcement Collaboration On Cybercrime Asset Recovery, Public Awareness Campaigns On Sim-Swap Risks,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Paypal (Subpoenaed For Payment Records), Google (Subpoenaed For Gmail/Ip Data), Arizona Isp (Hosted Control Server), , Us Law Enforcement (Fbi), Uk Crown Prosecution Service (Cps), Spanish Authorities (Extradition), , Likely (post-breach security upgrades).
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Fix the bug and restore affected accounts, Law Enforcement Takedown Of Rapper Bot Infrastructure., Public Awareness Campaigns On Iot Security., Encouragement Of Ddos Protection Services (E.G., Project Shield)., Pursuit Of Co-Conspirators (E.G., Slaykings, Aaron Sterritt)., , Twitter Implemented Stricter Access Controls Post-Breach, Enhanced Mfa Requirements For Employees, Us/Uk Law Enforcement Collaboration On Cybercrime Asset Recovery, Public Awareness Campaigns On Sim-Swap Risks, .
Additional Questions
General Information
What was the amount of the last ransom demanded ?
Last Ransom Demanded: The amount of the last ransom demanded was 276000000.
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Hackers, Unknown Seller, Dark Storm hacktivist group, Disgruntled Employee, Ex-Employee, RapperBot operators, Name: Ethan J. FoltzLocation: Springfield, Oregon, U.S.Role: Primary Operator of Rapper BotName: Unknown (Slaykings)Alias: SlaykingsRole: Co-conspirator, Profit-Sharing Partner and Joseph James O'Connor (aka 'PlugwalkJoe') and accomplices.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2022-07-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2020-07-15.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was $100,000+ (from Bitcoin scam) + £4.11 million ($5.39 million) seized in crypto assets.
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Email addresses, Phone numbers, User account profiles, Follower counts, Screen name, Login name, Location, Profile picture URL, , Verified Twitter accounts, , Email addresses, Phone numbers, , email, name, username, follower_count, creation_date, phone_number, , email addresses, phone numbers, last four digits of credit card numbers, , Twitter Accounts, Direct Messages, Personal information of 200 million users, Passwords, Profile Metadata, , User IDs, Screen Names, Follower Counts, Tweets, , Private Direct Messages, Account Credentials, High-Profile User Data and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Internal servers and Twitter's services and and Twitter/X (March 10, 2025 outage)18,000 unique victims across 1,000 networksDoD Internet Addresses (targeted) and Twitter Internal Admin ToolsCelebrity/High-Profile Accounts (e.g., Barack Obama, Bill Gates, Jeff Bezos).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was paypal (subpoenaed for payment records), google (subpoenaed for gmail/ip data), arizona isp (hosted control server), , us law enforcement (fbi), uk crown prosecution service (cps), spanish authorities (extradition), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were The security flaw has been resolved, Arrest of Ethan J. FoltzSeizure of Botnet InfrastructureDisruption of Rapper Bot Operations and Account LockdownsRevoking Admin AccessPassword Resets.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Phone numbers, Verified Twitter accounts, email, follower_count, User account profiles, Direct Messages, Personal information of 200 million users, Email addresses, creation_date, last four digits of credit card numbers, phone_number, High-Profile User Data, Login name, phone numbers, Profile Metadata, Tweets, Follower counts, name, Profile picture URL, Twitter Accounts, Follower Counts, Private Direct Messages, User IDs, username, Location, Screen Names, Account Credentials, Passwords, email addresses and Screen name.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 3.4B.
Ransomware Information
What was the highest ransom demanded in a ransomware incident ?
Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was 276000000.
Regulatory Compliance
What was the highest fine imposed for a regulatory violation ?
Highest Fine Imposed: The highest fine imposed for a regulatory violation was $794,000 forfeiture (US), £4.11 million asset seizure (UK), .
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Criminal Charges Against Ethan J. Foltz (1 count of aiding/abetting computer intrusions), Potential Extradition of Aaron Sterritt (fBot operator), , US Criminal Conviction (2023), UK Civil Recovery Order (2023-11-14), .
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Cryptocurrency tracing enables asset recovery post-conviction.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Collaborate with law enforcement to disrupt botnet infrastructure., Avoid paying extortion demands to discourage DDoS-for-hire markets., Users should be cautious of unfamiliar communications and verify the authenticity of official communications., Monitor for SIM-swap indicators (e.g., sudden carrier changes), Establish cross-jurisdictional legal frameworks for asset recovery, Implement hardware-based MFA for all employees (especially those with admin access), Implement DDoS mitigation strategies (e.g., overprovisioning, scrubbing services)., Strengthen IoT device security (e.g., default credential changes, patch management)., Implement robust security measures to prevent unauthorized access to account information., Conduct regular red-team exercises targeting social engineering vectors, Segment internal tools to limit lateral movement, Monitor for unusual traffic patterns (e.g. and 2+ Tbps spikes)..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are US Department of Justice, NICTER analysts, The Register, Reuters, KrebsOnSecurity, Defense Criminal Investigative Service (DCIS), U.S. Department of Justice (DoJ) Criminal Complaint and UK Crown Prosecution Service.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://krebsonsecurity.com, https://www.dcis.dod.mil, https://www.theregister.com/2023/11/20/twitter_hacker_uk_asset_seizure/, https://www.justice.gov/usao-sdny/pr/uk-national-sentenced-five-years-prison-hacking-twitter-accounts-and-conducting-sim, https://www.cps.gov.uk/cps/news/cyber-criminal-loses-ps41m-profits-twitter-hack .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was DoD entities targeted by Rapper Bot, Online businesses (especially gambling platforms) warned about extortion risks, Twitter Security Updates (2020), FBI Cyber Division Alerts, CPS Proceeds of Crime Announcement, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Warned users to be wary of unfamiliar communications and advised about official communications from @twitter.com email address., All users advised to update their passwords, Twitter/X users notified of March 2025 outageGeneral public advised on IoT security best practices and Twitter Support Notifications to Affected Users (2020)Scam Victim Restitution (Ongoing).
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Weak default passwords, infrequent firmware updates, SIM-Swapping (Mobile Carrier Compromise) and Zero-day vulnerability.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Continuous refinement over three years, Weeks/Months (target selection, carrier research).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Bug in password reminder system, Zero-day vulnerability, Weak default passwords, infrequent firmware updates, Poor IoT device security (default credentials, unpatched vulnerabilities).Lack of DDoS mitigation preparedness among victims.Profit-driven cybercriminal ecosystem (DDoS-for-hire).Inadequate international cooperation to dismantle botnets., Inadequate MFA for Twitter employee accountsMobile carrier vulnerabilities (SIM-swap exploits)Overprivileged internal admin toolsLack of behavioral monitoring for anomalous access.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Fix the bug and restore affected accounts, Law enforcement takedown of Rapper Bot infrastructure.Public awareness campaigns on IoT security.Encouragement of DDoS protection services (e.g., Project Shield).Pursuit of co-conspirators (e.g., Slaykings, Aaron Sterritt)., Twitter implemented stricter access controls post-breachEnhanced MFA requirements for employeesUS/UK law enforcement collaboration on cybercrime asset recoveryPublic awareness campaigns on SIM-swap risks.
.png)
Latest Global CVEs (Not Company-Specific)
Description
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Risk Information
cvss3
Base: 6.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Description
XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request.
Description
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass.
Description
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Risk Information
cvss4
Base: 9.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
Risk Information
cvss4
Base: 5.5
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=twitter' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
