A member of a criminal data breach forum claims to have obtained the emails and phone numbers of 400 million Twitter users in a posting that urges social media CEO Elon Musk to buy the data set for an unspecified price.
The posting, apparently first noticed by Israeli cyber intelligence firm Hudson Rock, includes alleged private email addresses for three dozen well known personalities including New York Democratic Rep. Alexandria Ocasio Cortez, Ethereum cryptocurrency founder Vitalik Buterin and cybersecurity reporter Brian Krebs.
The posting also includes a link to a spreadsheet with a thousand records, a handful of which belong to public institutions and whose listed email addresses appear legitimate.
The poster, who uses a male avatar and goes by the handle “Ryushi,” says the records were exposed for scrapping “via a vulnerability” and did not respond to a request for elaboration over his Telegram channel.
If verified, the data breach would be a further blow to Twitter and its beleaguered chief executive, who has said he will step down from overseeing the social media network while remaining its owner.
Only months ago, Twitter entered into a consent order with the U.S. Federal Trade Agreement binding it to maintain a privacy and information security program for the next two decades. The agreement ended a federal investigation into Twitter’s use of phone numbers and email addresses for advertising purposes when they were collected to be used for multifactor authentication. Twitter also paid a $150 million civil penalty. Bloomberg reports the agency is intensifying a probe into whether the company is complying with the order, especially given the exodus of senior legal, privacy and compliance executives (see:Twitter Ramps Up Regulatory Exposure After Loss of CISO).
The Irish Data Protection Commission on Friday announced an investigation into a August incident that saw the contact records of 5.4 million Twitter users dumped on the same forum favored by Ryushi (see: Cybercrime Forum Dumps Stolen Details on 5.4M Twitter Users).
Twitter, wrote the Irish data protection authority, apparently violated provisions of the General Data Protection Regulation, Europe’s privacy regulation often tied with hefty fines. The Irish agency in November invoked the GDPR to fine Facebook 265 million euros after data set containing details of more than half a billion social media users appeared online last year (see: Meta Fined by Irish Privacy Regulator for GDPR Violations).