A hacker has recently posted a listing on a popular hacking forum advertising a data set that includes the public and private data of approximately 400 million Twitter users. The data was allegedly obtained by exploiting an API vulnerability in 2021 that has since been patched. The same vulnerability was exploited previously in a 5.4 million record data breach – one which the Irish Data Protection Commission has just started investigating in its capacity as a regulator of the General Data Protection Regulation (GDPR).
The 400m-record data set includes names, email addresses, follower counts, account creation dates, and phone numbers. Most of the information in the data set is publicly available and can be found by anyone using the platform, but email addresses and phone numbers associated with accounts are not made public. The data set is being offered by a user with the moniker ‘Ryushi’ on the Breached hacking forum, who has asked for $200,000 for an exclusive sale, and has suggested Twitter or Elon Musk purchase the data in order to prevent a financial penalty for a violation of the GDPR. The post suggests purchasing the data could help Twitter avoid a $276 million penalty, similar to the one imposed on Facebook after the data of 533 million users was scraped from Facebook.
The poster suggests that since the data set includes email addresses and phone numbers, it could be used for a range of nefarious purposes, including phishing attacks, sim swapping, doxing, and crypto scams, also drawing attention to the number of celebrities and politicians in the data set. The post taunts Musk, suggesting if he is not sure what to do, he should run a Twitter poll and let users choose, after all, this breach was the fault of Twitter for failing to address the API vulnerability.
A sample of the data was uploaded to the site to prove its authenticity that includes the data of high-profile Twitter users such as journalists, politicians, celebrities, government agencies, and corporations. The sample includes the data scraped from the accounts of the journalist and presenter Piers Morgan, Donald Trump Jr, and New York Congresswoman, Alexandria Ocasio-Cortez.
The hacker says that if a single purchaser cannot be found, the data will be sold to multiple individuals at a reduced price of $60,000. If a single purchaser is found, no resale of the data will occur and the data set will be deleted.