Just when you thought the various controversies surrounding Twitter were winding down, a hacker claims to be selling the data of 400 million users.
The data is said to have been captured in 2021, and was obtained using an API vulnerability that has since been fixed.
The threat actor, who calls themself ‘Ryushi’, has advised Elon Musk and Twitter to buy the data for the asking price of $200,000, or face an even larger GDPR fine.
Twitter data leak 2022
The threat actor, who appears to have joined the Breached hacking forum in December 2022, wrote:
“Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively… after that I will delete this thread and will not sell this data again.”
Sample data of more than 1,000 users, including a number of celebrities, has been leaked, including email addresses, usernames, follower counts, creation dates, and some users’ phone numbers.
If an exclusive sale to Twitter (or any other party who wants the information) is not made for $200,000, the hacker claims that they will sell the data to multiple buyers for $60,000 each.
Bleeping Computer (opens in new tab) reports that the API that caused the vulnerability was fixed in January 2022, however multiple threat actors have been confirmed to have used it, putting more than 400 million users are risk of scams and phishing attacks.
Elsewhere, WhatsApp recently came under pressure as a data breach saw more than 500 million users’ personal information leaked, though it is now thought that this was a re-use of an older 2019 Facebook leak.
TechRadar Pro has reached out to Twitter for further comment on the threat.