A dataset allegedly containing the email addresses and phone numbers of more than 400 million Twitter users has been put up for sale on hacking forum Breached Forums.
The dataset was uploaded to Breached Forums on December 23, 2022, by a hacker going by the screen name ‘Ryushi’. The hacker claimed to have collected the data using data scraping techniques and a now-patched vulnerability in the social media site’s software in 2021 and demanded US$200,000 for an “exclusive” sale of the data.
Sample of 400 million Twitter breach
– CBS Media
– Donald Trump Jr.
– Doja Cat
– Charlie Puth
– Sundar Pichai
– Salman Khan
– NASA’s JWST account
– Ministry of Information and Broadcasting, India
– Shawn Mendes
– Social Media of WHO pic.twitter.com/RdezKOlMml
— 🏴☠️🕊🍓Puck Arks🍓🕊🏴☠️ (@PuckArksReturns) December 25, 2022
In their post, the hacker addressed Twitter owner Elon Musk directly, saying: “Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4 m[illion] breach imaging [sic] the fine of 400 m[illion] users breach.
“Your best option to avoid paying $276 million USD in GDPR breach fines like Facebook did…is to buy this data exclusively”.
The hacker went on to warn that if Twitter did not buy the data before it was sold, users would “lose trust in you” and said that if malicious actors used the data to gain unauthorized access to the accounts of prominent people (e.g. celebrities or politicians), that they will “for sure make them ghost the platform” and “ruin [Musk’s] dream” of Twitter being a video sharing platform.
Ryushi went on to say that the data breach would exacerbate an already “sensitive time” for content creators on Twitter, and that if Musk was unsure about what to do he should “run a poll on Twitter like usual and people will chose their fate”, a reference to the fact Musk has allegedly used Twitter polls to influence business decisions.
The hacker also blamed Twitter directly for that hack, saying “at the end of the day it’s the company’s fault this data was breached”.
Hey @elonmusk, since you don’t seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn’t happen on your watch, but you owe Twitter a reply.
— briankrebs (@briankrebs) December 27, 2022
Users of the site have urged Musk to publicly comment on the data breach. Cyber security expert and investigative journalist Brian Krebs tagged Musk in a public post about the breach, saying that he “owe[s] Twitter a reply” about the breach, even if it “didn’t happen on [his] watch”.
The forum post included sample data for 37 celebrities, corporations, journalists, politicians and government agencies including Doja Cat, Alexandria Ocasio-Cortez, the World Health Organization, Shawn Mendes and Piers Morgan.
It has been suspected that the sample data has already been used by malicious actors to access the accounts listed in the sample, namely British tabloid journalist Piers Morgan. This suspicion arose after Morgan’s Twitter was allegedly hacked and a number of strange tweets were posted to his profile between Christmas Day and Boxing Day 2022.
These tweets included abusive messages, false information and racial slurs directed at a number of people including the late Queen Elizabeth II and singer Ed Sheeran.
Morgan has not yet publicly addressed the hack.
Investigation into Twitter launched following breach
The Irish Data Protection Commission (DPC) announced on December 23, 2022, that it will be launching an investigation into a breach that exploited the same vulnerability and affected 5.4 million users in July 2022. This investigation was referenced by Ryushi in their post.
The breach took place using a vulnerability in Twitter software that was first flagged to the company in January 2022. This vulnerability allowed malicious actors to learn if an email address or phone number was associated with an existing account by entering the number or email address and attempting to log in.
The DPC said in a statement that it had “corresponded with Twitter International Unlimited Company (‘TIC’)” in relation to the data breach and “raised queries in relation to GDPR compliance”.
After considering the information provided by TIC in response to its queries, the DPC said it was “of the opinion that one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users’ personal data”.
As a result of this, the DPC said that it will be investigating the data breach to determine “whether TIC has complied with its obligations, as controller, in connection with the processing of personal data of its users or whether any provision(s) of the GDPR and/or the Act have been, and/or are being, infringed by TIC in this respect”.
In November 2022, social media company Meta was fined $275 million following an investigation by the DPC into a Facebook data leak that took place in April 2021. This was also referred to by the hacker in their Breached Forums post.