The data of 400 million Twitter users has been put up for sale on the dark web in what has been described as one of the largest Twitter data breaches. The news comes just one day after the Irish Data Protection Commission (DPC) announced an investigation into a previous Twitter data leak that affected over 5.4 million users. The previous breach was found in late November.
To prove that the data is genuine, the hacker has posted a sample of data on one of the hacker forums. The sample data contains the following information: email, name, username, follower count, creation date, and in some cases, the phone number of the users.
What’s shocking is the sample data provided by the hacker includes data from some really high profile user accounts. The sample data contains user data of the following –
– Alexandria Ocasio-Cortez
– SpaceX
– CBS Media
– Donald Trump Jr.
– Doja Cat
– Charlie Puth
– Sundar Pichai
– Salman Khan
– NASA’s JWST account
– NBA
– Ministry of Information and Broadcasting, India
– Shawn Mendes
– Social Media of WHO
The sample data contains many more high profile user’s data. While most of them will lead to the social media team, the data leak if legitimate, is going to be very damaging. According to Alon Gal, co-Founder and CTO of Israeli cybercrime intelligence company, Hudson Rock, the data was probably obtained from an API vulnerability enabling the threat actor to query any email or phone and retrieve a Twitter profile.
In his post, the hacker writes, “Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imagine the fine of 400m users breach source. Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively.”
The hacker states he is open to the ‘Deal’ going through a middle man, “After that I will delete this thread and will not sell this data again. And data will not be sold to anyone else which will prevent a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing and other things that will make your users Lose trust in you as a company and thus stunt the current growth and hype that you are having also just imagine famous content creators and influencers getting hacked on twitter that will for sure Make them ghost the platform and ruin your dream of twitter video sharing platform for content creators, also since you Made the mistake of changing twitter policy that got an immense backlash.”
While other threat actors have not verified the data yet, Alon Gal in his LinkedIN post states that “The data is increasingly more likely to be valid and was probably obtained from an API vulnerability enabling the threat actor to query any email / phone and retrieve a Twitter profile, this is extremely similar to the Facebook 533m database that I originally reported about in 2021 and resulted in a $275,000,000 fine to Meta.”
A breach of this scale might explode up in Elon Musk’s face after he sledgehammered Twitter’s business and policy. The DPC has already begun investigating the earlier breach.