A hacker claims to have obtained partial data on 400 million Twitter accounts, with a sample released online including purported information from former prime minister Scott Morrison’s page.
The data, which includes email addresses and some phone numbers linked to user accounts but not passwords, was posted just before Christmas on the same data forum that was used by the Optus hacker. This masthead has chosen not to name the site.
Israeli cybersecurity company Hudson Rock, which first publicised the breach, said the sample data “appears to be legitimate”, but cautioned that it was impossible to verify the hacker’s claim to have taken 400 million records from 2021 to early 2022.
Rob Potter, co-founder of Australian cybersecurity firm Internet 2.0, said the data appeared to have been taken via a method called “scraping”, which is where a savvy user finds a system that has been misconfigured to provide information, and requests data from it.
“There’s some bug… that allowed them to scrape without limitation, so they were able to just continuously scrape,” Potter said.
In Morrison’s case, the email used in the file is his publicly available Parliament House address and there is no phone number or other sensitive information. But other celebrities in the file have had what appear to be personal email or phone numbers made public. British broadcaster Piers Morgan and model Cara Delevingne are among those listed.
Twitter’s billionaire owner and chief executive Elon Musk, who has also functioned as a one-man press office since buying the company, has not responded to public requests for comment from users caught in the breach.
Morrison’s office did not immediately respond to a request for comment. Twitter’s Australian media team was axed in Musk’s initial round of job cuts and a public relations agency that previously worked for it is no longer representing the social media giant.