Twitter: Pay for text 2FA || Another big data breach in India 🚂
CyberInsights #82 - Twitter asks non Twitter Blue users to stop using text based 2 factor authentication || Railyatri - a train services portal in India breached.
Twitter asks users to pay for text based 2FA
SMS based 2 factor authentication is not the most secure, but Twitter’s message makes you feel that security is not the primary concern.
Free users of Twitter woke up to a rude message. If you are using Twitter for free, text based OTPs will stop working within 30 days. It went on to ask the users to move to app or security key based 2FA.
Predictably, the infosec community went ballistic on, well, Twitter. Here are a few of the comments:
Experts agreed that most people would just turn off 2FA and never switch it on again.
Some people felt that the move was right, but not communicated clearly:
Whatever the reaction from the infosec community, the text based 2FA is making an exit.
Take Action:
If you are using Twitter, disable text based 2FA and enable app / security key based2FA for your personal account
For your corporate accounts - release a communication to your marketing teams with detailed instructions (including screenshots) to change the second factor & follow up to see if they have done it.
31 million impacted in Railyatri data breach 🚂
Any data breach in India is a big data breach.
Data from the train ticketing and services site RailYatri.in has been breached and is available on the dark web. It has around 31 million records full of personally identifiable information.
Rail - train; yatri (Hindi) - traveller
There is no information about this on the official site of Railyatri.
According to the article, it was due to a misconfigured ElasticSearch server — public server with no authentication 🙄.
Take Action:
If you are in India, your threat intel would report email IDs identified as a part of the breach. Communicate to the individuals about the breach and ask them to change their passwords.
Note: This is more of a good gesture from the infosec team. Most likely, your corporate data is not at risk. A rare chance to get brownie points 😊. For those outside India, well, nothing to be done…