Hackers claim to sell personal data of 400 million Twitter users

According to reports, hackers claim to sell the personal Twitter data of 400 million users.

The individual in question claims to be selling public and private data of over 400 million Twitter users stolen in November 2021, alleging an API vulnerability that was not fixed until January 2022. exploited.

Twitter fixed the vulnerability in January, but multiple hackers were apparently able to steal vast amounts of personal information from users before the issue was resolved.

The data included information from users such as email, username, account creation date and phone number. Including his 37 public figures, politicians, journalists, businesses and government agencies.

The threat actor, who goes by the name of “Ryushi,” said in an interview with beep computeran information security and technology news website, has demanded Twitter pay a $200,000 ransom to avoid further disclosure of its data and potential fines from regulators for a wider leak. I’m here.

He said he offered to sell personal information to the social media platform, promising to delete the data once ransom payment was secured.

According to BleepingComputer, if no agreement is met, copies will be sold to multiple organizations for $60,000 per download on the infamous “Breached” forum, often used by hackers to sell stolen user data.

Twitter faces one of the worst data breaches in its history

Anonymous hackers have confirmed that they collected personal data through a 2021 API breach. This was also related to a similar confirmed leak involving 5.4 million accounts.

Another breach involving as many as 17 million users was allegedly perpetrated by a different team of hackers, as reported by BleepingComputer.

Cybersecurity websites have so far been able to confirm that only one of these two leaks is valid.

A security flaw allowed hackers to feed a large list of phone numbers and email addresses into the Twitter API and receive associated Twitter user IDs, reports the information security website.

“Ryushi” claimed to have obtained the user’s public profile data using an identity with a different IP and created a Twitter user profile consisting of public and private data.

“I had already gained access through the same exploit that was used for the 5.4m data breach. I spoke with the seller and they confirmed it was in Twitter’s login flow,” said the hacker to BleepingComputer. is talking to

“So the duplicate check leaked user identities that were converted to usernames and other information using another API.”

According to cybercrime security firm Hudson Rock: Tweet We were able to independently verify that the data samples leaked via API system breaches appear to be legitimate.

Hudson Rock reports that this was based on a sample of 1,000 Twitter user profiles leaked by “Ryushi.”

Threatens to sell data to criminal networks if Twitter does not respond

“Ryushi” is Twitter’s CEO, saying failure to cooperate could result in EU GDPR privacy violation fines of up to $276 million, as happened to Facebook when the data of more than 500 million users was exposed. Blackmailed a certain Elon Musk.

Hackers have warned Elon Musk and Twitter to buy the data immediately.

“Twitter, Elon Musk, you reading this are at risk of over 5.4 million GDPR fines if 400 million users violate. Fines for GDPR violations like Facebook. The best option to avoid paying $276 million in (because 533 million users were scraped) is to buy this data exclusively,” the threat read.

Famous names include former President Donald Trump, New York Rep. Alexandria Ocasio-Cortez, Vitalik Buterin, Kevin O’Leary, Mark Cuban, and more.

“Ryushi” Link to post It warned that stolen data could be used by cybercriminals for phishing, cryptocurrency fraud, doxing, BEC attacks, and other malicious activities against users, and what Musk would do if he didn’t cooperate. Emphasizing results.

Hackers said Musk was already under pressure from the government and critics Changes to Twitter’s verification policyusers may lose trust in the platform when they learn about a data breach.

The bad news came after the Irish Data Protection Commission, the EU’s privacy watchdog, launched an investigation into the Twitter data breach earlier this month.

But while some analysts speculate that “Ryushi”‘s claim to own the personal data of 400 million accounts is a bluff, Hudson Rock believes the cyber threat is real. I’m here.

“Please note: At this stage, we cannot fully confirm that the database actually has 400 million users. ,” said the cybercrime intelligence agency. in another tweet.