It’s probably safe to say that, under new management, Twitter is having a pretty rocky time. And the ride may have just gotten rougher, as a hacker is claiming to have gotten their hands on the data of 400 million users. As you’d probably expect at this point, the hacker is putting them up for sale.
Israeli cybercrime intelligence company Hudson Rock shared the discovery on Twitter itself. Included in the tweet were two images. One is the post by the reported seller who goes by the handle Ryushi on BreachForums, which also comes with a touch of extortion intended for current Twitter owner Elon Musk.
BREAKING: Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data.
The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O'Leary, Vitalik Buterin & more (1/2). pic.twitter.com/wQU5LLQeE1
— Hudson Rock (@RockHudsonRock) December 24, 2022
In the post, the hacker claims that it is in Musk’s best interest to be the exclusive buyer of this data, or risk a massive General Data Protection Regulation (GDPR) fine by the EU. They also drew a parallel to Facebook paying US$276 million (~RM1.22 billion) for the leak of 533 million users’ data to drive the point home. The hacker also claims further down the thread that the data was obtained via a Twitter vulnerability that was patched in early 2022.
The second image included in the Hudson Rock tweet is a “sample” of the kind of data that can be found among the 400 million. This includes the usernames, email addresses, phone number, creation date and follower count of a number of prominent Twitter accounts, ranging from US politicians to media personalities, totaling to 1000. Another security firm, DeFiYield, has claimed that this is real, based on the 1000 accounts provided in the sample.
2/ Yes, this is real.
We have checked each of 1,000 accounts given by the hacker as the SAMPLE.
We were able to verify the big % of these accounts' data is real: both emails and phone numbers. pic.twitter.com/Q3IsU2GhWh
— DeFiYield 🛡️ Web 3 Security (@DefiyieldSec) December 25, 2022
According to Security Affairs, Hudson Rock co-founder Alon Gal has explained on LinkedIn that this 400 million account database is not the same one as a similarly reported data leak back in August, involving 5.4 mjillion users. Either way, it’s another reminder to change up your password and use 2FA for your social media accounts, especially Twitter.