a hacker is selling the data of 400 million accounts from Twitter, extracted in 2021 by taking advantage of an API vulnerability in the social network.
The attacker named “Ryushi” has published information about how the process has been done in breacheda site used to sell user data stolen in data breaches, where asks 200,000 dollars for an “exclusive” sale to Elon Musk/Twitter, so he can avoid a fine for the company according to the privacy laws of the General Data Protection Regulation (GDPR) of Europe.
Known profiles and public user data
According to Ryushi, Musk is risking a fine from the GDPR and his best option to avoid paying 276 million dollars is to buy user data.
To try the veracity of the data leakthe attacker published some of the accounts he has, including SpaceX, Donald Trump, Charlie Puth, Steve Wozniak, Neil deGrasse Tyson, Cara Delevingne, Gerard Piqué, Sundar Pichai, Linus Tech Tips, Vitalik Buterin or Shawn Mendes.
Along with these accounts, Ryushi even posted a “small sample” from 1,000 Twitter users who had been verified even though they were not subscribed to Twitter Blue, same as “They do not represent even 1% of the data“.
The profiles possessed by the attacker consist of public and private user datas, among which are email addresses, names and usernames, number of followers, date of creation, as well as the telephone number in some cases.
Besides, BleepingComputer details that after contacting Ryushi, he said that he is trying to sell the data to a single person, in this case to Twitter itself for the $200,000same as after the transaction would be eliminated.
However, in the event that the exclusive purchase cannot be made, the attacker’s intention is to be able to sell copies to multiple people for $60,000 each.
Taking advantage of an “old” Twitter bug
This collection used the same Twitter API vulnerability that led to the leak of approximately 5.4 million accounts in January 2022, a bug that allowed email numbers to be sent. phone numbers and email addresses to retrieve an associated ID.
These data had been initially for salealthough later they were made free for any user.
For now, Hudson Rock, a cybercrime intelligence company Has revealed that despite the size of the leak, at the moment it cannot be determined if there are a total of 400 million users in the database, but on independent verification, the data does appear to be legitimate.
Image: Roman Martyniuk on Unsplash