A threat actor has claimed to have stolen the data of nearly 400 million Twitter users and put them up on the dark web for sale, containing private information of celebrities, politicians, companies, and many more.
According to a report from by Israeli cyber intelligence company Hudson Rock, the stolen data is claimed to include information regarding high-profile users such as Google CEO Sundar Pichai, the World Health Organisation (WHO), the National Aeronautics and Space Administration (NASA), the Union Ministry of Information and Broadcasting, Bollywood actor Salman Khan, among others.
Hudson Rock shared images of the Twitter post in which the hacker disclosed the data leak. The stolen personal data of 400 million Twitter users include email addresses, names, usernames, follower count, creation date, and, in some cases, even phone numbers.
BREAKING: Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data.
The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O'Leary, Vitalik Buterin & more (1/2). pic.twitter.com/wQU5LLQeE1
— Hudson Rock (@RockHudsonRock) December 24, 2022
The threat actor who goes by the handle “Ryushi” says the users’ data were collected by exploiting a vulnerability.
“I am selling data of +400 million unique Twitter users that were scraped via a vulnerability, this data is 100% confidential,” the hacker claimed in his post.
In order to prove that the leaked data is genuine, the threat actor posted a sample of 1,000 accounts as part of a larger sample on the Breached hacking forum, a commonly used site by hackers to sell stolen user data in data breaches.
While Hudson Rock has not been able to fully verify the hacker’s claims, given the number of accounts, they independently verified that the leaked samples appear legitimate. Web3 security firm DeFiYield too verified that the sample data posted for sale was “real”.
According to the Hudson Rock report, the hacker reportedly has offered a deal to the Twitter CEO Elon Musk and the microblogging site to purchase the data to avoid a huge fine under Europe’s GDPR privacy law.
“If you work for Twitter or are Elon Musk and you are reading this, you are already in danger of GDPR fines for the data leak of more than 54 million users. The $400 million data breach has now resulted in sanctions” the hacker stated.
“If you want to avoid having to pay $2.76 million in CDPR breach charges as Facebook did (533 million users were scraped), then buying this data solely is your best bet. In other words, he is willing to negotiate with any go-between.”
According to the report, the hacker says he doesn’t mind if the ‘Deal’ gets brokered with a middleman too, and will delete the thread and will not sell the data again.
The threat actor further emphasized the consequences if Twitter failed to cooperate, as the data sold to anyone else would expose a lot of celebrities and politicians to Phishing, Crypto scams, Sim swapping, Doxxing, and other things, making them lose trust in the company and prompting them to seek alternatives.
According to BleepingComputer, the hacker has offered the Twitter data exclusively to a single person / Twitter for $200,000 after which the data will be deleted, or to multiple buyers offering to pay $60,000 per sale if the exclusive deal does not work out.
How Was the Twitter User Data Hacked?
The Hudson Rock report states that the hacker claimed that the data was obtained in early 2022 due to an API vulnerability in Twitter, which has now been fixed. Earlier, the same vulnerability was used to access the data of over 5.4 million Twitter users in August 2022.
“The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email/phone and retrieve a Twitter profile, this is extremely similar to the Facebook 533m database that I originally reported about in 2021 and resulted in a $275,000,000 fine to Meta,” Alon Gal, Co-Founder, and CTO of Hudson Rock, said on LinkedIn.
“This is easily disproved by comparing the samples in the new leak to the older 5.4m version which had already been leaked publicly,” Gal explained.
“250 out of 1000 are found. (the count would have been lower had it been a sample of non-verified accounts) I can’t share some sensitive information I have, but as time goes on I am more confident this is a 400,000,000 users leak, and as always, it will unfortunately leak to the hands of every hacker for free.”