Private Info of 400 Million Twitter Users Reportedly Being Sold on Black Market
It has been reported that a private database containing the personal information of 400 million Twitter users, including emails and phone numbers, is being sold on the black market.
Cybercrime intelligence firm Hudson Rock warned of this “credible threat” on Twitter and stated that the database includes the contact information of high profile users such as Alexandria Ocasio-Cortez, Kevin O’Leary, and Vitalik Buterin.
Hudson Rock added, “In the post, the threat actor claims the data was obtained in early 2022 due to a vulnerability in Twitter, as well as attempting to extort Elon Musk to buy the data or face GDPR lawsuits.”
According to Hudson Rock, it has not been able to fully confirm the validity of the hacker’s claims due to the large number of accounts involved, but the company stated that an independent verification of the data appears to be legitimate.
Web3 security firm DeFiYield also examined a sample of 1,000 accounts provided by the hacker and verified that the data is genuine.
The company also communicated with the hacker via Telegram and noted that they are actively seeking a buyer for the database. If the breach is confirmed, it could be a cause for concern for Twitter users, particularly those who use pseudonyms, although some have questioned the feasibility of such a large-scale breach given the current number of active monthly users, which is estimated to be around 450 million.
The hacker is still advertising the database for sale on Breached and has called on Elon Musk to pay a fee of $276 million to prevent the data from being sold and to avoid a fine from the General Data Protection Regulation agency.
If Musk pays the fee, the hacker said that they will delete the data and it will not be sold to anyone else in order to prevent celebrities and politicians from being targeted by phishing, crypto scams, sim swapping and other threats.
The data breach is believed to have resulted from the “Zero-Day Hack” on Twitter in which a vulnerability in the application programming interface was exploited in June 2021 before it was patched in January of this year. The vulnerability allowed hackers to collect private information and compile it into databases to sell on the dark web.
In addition to the reported database of 400 million users, two other databases have previously been identified, one containing around 5.5 million users and another thought to contain as many as 17 million users, according to a report from Bleeping Computer on November 27. The risks of having this type of personal information leaked online include targeted phishing attempts via text and email, sim swap attacks to gain access to accounts, and the doxxing of private information.
It is recommended for people to take precautions to protect their accounts, by enabling the two-factor authentication through an app rather than their phone number, changing their passwords and storing them securely, and using a private self-hosted crypto wallet.