400 million Twitter users’ public and private data were scraped in 2021 using a now-fixed API vulnerability, according to a threat actor. On the Breached hacking forum, a website frequently used to sell user data obtained through data breaches, a threat actor going by the name of “Ryushi” is allegedly selling the purported data dump.
The threat actor claims to have exploited a vulnerability to gather information from more than 400 million distinct Twitter users. They advised Twitter and Elon Musk to buy the data before the GDPR privacy legislation in Europe imposes a significant fee on them for failing to comply.
The hacker directed his message not just at Twitter but also at Elon Musk. Ryushi stated, “Twitter or Elon Musk if you are reading this, you are already at danger of a GDPR penalties over 5.4 million breaches envisioning the fine of 400 million users breach source.”
Useful Link: What is GDPR? How it Impacts Different Industries?
“Buying this data entirely is your best choice to avoid paying $276 million USD in GDPR breach fines as Facebook did (due to 533 million users being scraped)”. Ryushi has also shared another link, alleging that it only represents a small portion of the information the hacker possesses.
Email addresses, usernames, followers, and phone numbers of the impacted people are among the data that have been made available for purchase. According to the Israeli firm Hudson Rock investigation, the hacker may have accessed the platform’s API. As evidence, the hacker provided a sample of data that included names like Salman Khan, Charlie Puth, Steve Wozniak, Donald Trump Jr., and more.
“The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email/phone and retrieve a Twitter profile, this is extremely similar to the Facebook 533 Mn database that I originally reported about in 2021 and resulted in a $275,000,000 fine to Meta,” Hudson Rock’s chief technology officer Alon Gal stated.
“I am more confident this is a 400,000,000 users leak, and as always, it will unfortunately leak to the hands of every hacker for free,” said Alon.
Ryushi claimed they were trying to sell Twitter data solely to Twitter for $200,000 before deleting it. If you don’t buy a complete copy, they’ll sell copies to several buyers for $60,000 each. Ryushi also said they contacted Twitter to ransom the data, but Twitter didn’t respond.
Latest Turn of Events
Quite disturbingly, it was discovered by the researchers at Privacy Affairs that the account data of over 200 million Twitter users have been dumped on an online forum. And, worsening this is that this data is available for free.
“This new leak appears to be the same as the one reported in December 2022 that affected over 400 million accounts,” Veronika Biliavska, content manager at Privacy Affairs, said via an email. “The 200 million number, in this case, resulted from the removal of duplicates.”
The data dump was about 63GB in size, and it housed vital information such as Twitter handles, email addresses, and other such details. The information can potentially be weaponized to hack Twitter user accounts. The silver lining was that the contact numbers were not leaked in this posting.
More Cyber Security News: