Hacker Claims to Be Selling Personal Data of 400 Million Twitter Users

Hacker Claims to Be Selling Personal Data of 400 Million Twitter Users
The Twitter logo is displayed on a mobile device in London on Nov. 7, 2013. (Photo by Bethany Clarke/Getty Images)
Bryan Jung
12/27/2022
Updated:
12/27/2022
0:00

A hacker claims to be selling the personal Twitter data of 400 million users, according to a report.

The individual in question claimed to be selling the public and private data of more than 400 million Twitter users stolen in November 2021, which exploited an API vulnerability that was not fixed until January 2022.

Although Twitter fixed the vulnerability in January, it appears that multiple hackers were already able to steal enormous amounts of private information from users before it was addressed.

The data contained information from users, including their emails, usernames, account creation dates, and phone numbers; including those of 37 celebrities, politicians, journalists, corporations, and government agencies.

The threat actor, who calls himself “Ryushi,” said in a interview with BleepingComputer, an information security and technology news website, that he demands that Twitter pay a $200,000 ransom to avoid further releases of the data and potential fines from regulators from wider leaks.

He said he has offered to sell the personal information back to the social media platform, with a promise to delete the data once the ransom payment is secured.

If no agreement is met, copies will be sold to multiple organizations at $60,000 per download on the notorious“Breached” forum, which is commonly used by hackers to sell stolen user data, according to BleepingComputer.

Twitter Faces One of Worse Data Leaks In Its History

The anonymous hacker confirmed that he collected the private data through the 2021 API breach, which was also associated with a similar confirmed leak involving 5.4 million accounts.

Another breach containing as many as 17 million users, was allegedly made by another team of hackers, reported BleepingComputer.

The cyber security website has so far been able to confirm that only of these two leaks were valid.

The security defect allowed hackers to feed large lists of phone numbers and email addresses into a Twitter API and receive an associated Twitter user ID, reported the information security website.

“Ryushi” claimed that he then used an ID with another IP to retrieve the public profile data for a user, then building a Twitter user profile consisting of public and private data.

“I gained access by same exploit used for 5.4m data leak already. Spoke with the seller of it and he confirmed it was in twitter login flow,” the hacker told BleepingComputer.

“So, in the check for duplication it leaked the userID which I converted using another API to username and other info.”

Cybercrime security firm, Hudson Rock, said in a tweet it has been able to independently verify that the leaked data samples via the breach in the API system appear to be legitimate.
This was based on a sample of 1,000 Twitter user profiles leaked by “Ryushi,” reported Hudson Rock.

Threat to Sell Data to Criminal Networks if Twitter Fails to Respond

“Ryushi” threatened Twitter CEO Elon Musk that failure to cooperate would attract European Union GDPR privacy breach fines of up to $276 million, as what happened to Facebook, when over 500 million of its users’ data was exposed.

The hacker warned Elon Musk and Twitter that they should purchase the data immediately.

“Twitter or Elon Musk, if you’re reading this you are already risking a GDPR fine over 5.4m imaging the fine if 400m users breach. Your best option to avoid paying $276 million USD in GDPR breach fines like Facebook did (due to 533m users being scraped) is to buy this data exclusively,” the threat read.

Some of the famous names include former President Donald Trump, Rep. Alexandria Ocasio-Cortez of New York, Vitalik Buterin, Kevin O’Leary, Mark Cuban, and others.

“Ryushi” attached a link to a post warning how the stolen data could be abused by cybercriminals for phishing, crypto scams, doxing, BEC attacks, and other malicious activities against its users, highlighting the consequences of Musk’s failure to cooperate.

The hacker noted that since Musk was already under pressure by governments and critics for changing Twitter’s verification policy, users could lose their trust in the platform when they find out about the data breach.

The bad news comes after the Irish Data Protection Commission, a EU privacy watchdog, launched an investigation this month into Twitter’s data breach.

However, while some analysts have speculated that “Ryushi’s” claim of possessing the private data of 400 million accounts is a bluff, Hudson Rock believes that the cyber threat is real.

“Please Note: At this stage, it is not possible to fully verify that there are indeed 400,000,000 users in the database. From an independent verification, the data itself appears to be legitimate and we will follow up with any developments,” the cybercrime intelligence agency stated in a separate tweet.