400 million Twitter accounts are affected by a massive Twitter data breach according to a hacker. Twitter CEO Elon Musk has been urged in a post on a criminal data breach forum by a member who claims to have gotten the emails and phone numbers of 400 million Twitter users.
With users flocking to the rival Mastodon, controversial new view count feature, and now the breach; Elon Musk seems to have no end of troubles to deal with. The seller, a member of data breach forums named Ryushi, claims the data was scraped via a Twitter vulnerability. Vitalik Buterin, Sundar Pichai, Mark Cuban, and others are among those whose data was allegedly compromised.
Twitter data breach: 400 million users affected according to a hacker
Over 400 million Twitter accounts have had their data exposed and are now for sale on the deep web. The hacker claims the information is confidential and contains the email addresses and phone numbers of famous people, government officials, businesses, and normal users. An Israeli cyber intelligence agency called Hudson Rock reportedly discovered the posting first.
BREAKING: Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data.
The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O'Leary, Vitalik Buterin & more (1/2). pic.twitter.com/wQU5LLQeE1
— Hudson Rock (@RockHudsonRock) December 24, 2022
A sample of the data was shared on one of the hacker forums by the hacker to demonstrate the authenticity of the data. The followings are included in the Twitter data breach sample data:
- Email addresses
- Numbers of followers
- Profiles’ dates of creation
- Phone numbers
The shocking part is that the hacker released sample data from high-profile user accounts. The Twitter data breach sample includes information from the following sources:
- Alexandria Ocasio-Cortez
- CBS Media
- Donald Trump Jr.
- Doja Cat
- Charlie Puth
- Sundar Pichai
- Salman Khan
- NASA’s JWST account
- Ministry of Information and Broadcasting, India
- Shawn Mendes
- Social Media of WHO
Many more data from high-profile users can be found in the sample set. If the data leak is real, it will be incredibly destructive, but most of the traces will point to the social media team. Hudson Rock co-founder and CTO Alon Gal speculate that the information was accessed through an API vulnerability that allowed the threat actor to query any email or phone number and receive a Twitter profile.
“Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imagine the fine of 400m users breach source. Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively.”
The hacker explains his motives in his post
The Twitter data breach hacker indicates that he is willing to negotiate the ‘Deal’ through a middleman:
“After that I will delete this thread and will not sell this data again. And data will not be sold to anyone else which will prevent a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing and other things that will make your users Lose trust in you as a company and thus stunt the current growth and hype that you are having also just imagine famous content creators and influencers getting hacked on twitter that will for sure Make them ghost the platform and ruin your dream of twitter video sharing platform for content creators, also since you Made the mistake of changing twitter policy that got an immense backlash.”
According to Alon Gal, Twitter has inserted a “readers context” in which they credit the database of 400,000,000 Twitter users to the data leak in August that affected 5,400,000 users.
“This is easily disproved by comparing the samples in the new leak to the older 5.4m version which had already been leaked publicly. 250 out of 1000 are found. (the count would have been lower had it been a sample of non-verified accounts) I can’t share some sensitive information I have, but as time goes on I am more confident this is a 400,000,000 users leak, and as always, it will unfortunately leak to the hands of every hacker for free.”
After slamming Twitter’s business and policies with a sledgehammer, Elon Musk may find himself on the receiving end of a massive data breach. The DPC is currently looking into the earlier security breach.
The Twitter data breach claim came a day after the Irish Data Protection Commission (DPC) stated it would look into a prior Twitter data leak that affected over 5.4 million users.
Mastodon vs Twitter: Everything you need to know
Have you ever wondered what could happen if an open-source Twitter algorithm existed? We did.
Twitter data breach: How did alleged hack happen?
The Twitter data breach seller, identified as Ryushi, a frequent contributor to hacker forums, asserts that the information was obtained via exploiting a security hole. While the Twitter data breach allegedly happened, hacker Sunny Nehra hinted that more information was stolen through the same vulnerability.
According to reports, the hacker is attempting to sell the data, which includes contact information for prominent Twitter users like Alphabet and Google CEO Sundar Pichai, Bollywood actor Salman Khan, the Indian Ministry of Information and Broadcasting, Elon Musk’s SpaceX, CBS Media, Donald Trump Jr., and American politician Alexandria Ocasio-Cortez.
2/ Twitter had accepted that the said API flaw was abused in the wild but it’s high time now that they also confirm how many exact users and who all were infected (alert all those users). We can’t wait for some or other new dumps related to the same flaw getting leaked with time.
— Sunny Nehra (@sunnynehrabro) December 26, 2022
According to reports, the Twitter data breach hacker is negotiating a purchase of the data with Twitter CEO Musk in an effort to sidestep potential GDPR-related legal action.
The hacker claims that they will destroy the data and not sell it to anyone else if Musk pays the ransom “to avoid a lot of celebrities and politicians from Phishing, Crypto frauds, Sim swapping, Doxxing, and other things.”
Targeted phishing attempts via text and email, sim switch attacks to get access to accounts, and doxing are all possible outcomes of a data breach using such information.
The supposed hacker’s Breached post promoting the database for sale is still active as of this writing.
Users are urged to take measures such as using a private, self-hosted crypto wallet, changing their passwords frequently, and storing them safely, and using two-factor authentication settings (through an app rather than their phone number) on all of their accounts.
Data breaches and hacks are today’s biggest problems. Check out the latest data breaches and hacks before we continue: CHI Health data breach, Facebook data breach, Uber security data breach, American Airlines data breach, Medibank cyber attack, and Binance hack.
Outcomes of similar major data breaches: Equifax & T-Mobile
The credit reporting firm Equifax acknowledged on September 7, 2017, that one of its computer networks had had a data leak that had exposed the personal information of 143 million clients, which eventually rose to 147 million. These records included information about the customers’ names, residences, dates of birth, Social Security numbers, and credit card numbers, all of which may be exploited for fraud and identity theft.
Equifax agreed to establish a fund to provide customers with free credit monitoring, identity theft protection, and cash compensation of up to $20,000 per to people harmed by the event, per the deal’s conditions. Additionally, the company must pay court fees and government fines.
Take a closer look at how data breaches effects companies: Equifax Data breach settlement
The cybersecurity vulnerability was first disclosed by T-Mobile and was made public on August 16, 2021. According to reports, almost 77 million consumers’ personally identifiable information was stolen due to the T-Mobile data breach. This contained database data such as addresses, dates of birth, social security numbers, driver’s license numbers, unique IMEIs and identification codes for client phones, and so on.
If granted, the $350 million T-Mobile deal will represent US history’s second-largest payment for a data breach.
Take a closer look at how data breaches effects companies: T-Mobile Data Breach Settlement