Hacker sells data from 400 million Twitter users on the Darknet

12/27/2022Cybercrime, USA

400 million Twitter users’ public and private data were scraped in 2021 using a now-fixed API vulnerability, according to a threat actor. The price for an exclusive sale is $200,000.

On the Breached hacking forum, a website frequently used to sell user data obtained through data breaches, a threat actor going by the name of “Ryushi” is allegedly selling the purported data dump.

The threat actor claims to have exploited a vulnerability to gather information from more than 400 million distinct Twitter users. They warned Twitter and Elon Musk to buy the data before the GDPR privacy law in Europe imposes a significant fee on them for failing to comply.

In a forum post, Ryushi stated that “Twitter or Elon Musk, if you are reading this, you are already at risk of a GDPR penalties over 5.4 million breaches envisioning the fine of 400 million users breach source.”

“Buying this data entirely is your best choice to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533 million users being scraped)”

The threat actor also included a link to a blog post outlining how other threat actors might utilize this information for BEC, crypto frauds, and phishing assaults.

Sample data for 37 celebrities, politicians, journalists, businesses, and government organizations are included in the forum post. These individuals include Alexandria Ocasio-Cortez, Donald Trump Jr., Mark Cuba, Kevin O’Leary, and Piers Morgan. In addition, a later breach included a larger sample of 1,000 Twitter user profiles.

The user profiles include users’ email addresses, names, usernames, follower count, creation date, and phone numbers, among other public and private Twitter data. Although it appears that all of the exposed profiles contain email addresses, several of them lack phone numbers.

Phone numbers and email addresses are private information, despite the fact that practically all of this data is publicly accessible to any Twitter user.

According to threat actor Ryushi, they are seeking to sell Twitter data exclusively to Twitter for $200,000 before deleting it. If you don’t buy an exclusive copy, they’ll sell copies to several buyers for $60,000 each.

Additionally, they claimed that despite calling and contacting Twitter regarding a ransom, they got no answer.

The threat actor acknowledged that they obtained the confidential email addresses and phone numbers by means of an API flaw that Twitter patched in January 2022 and was previously linked to a 5.4 million user data leak.

Large lists of phone numbers and email addresses might be entered into a Twitter API using this flaw to obtain a Twitter user ID. The threat actor then combined this ID with another IP to retrieve the users’ public profile information, creating a combined public and private Twitter user profile.

“I acquired access using the same vulnerability as the previous 5.4 million data breach. When I spoke to the seller, he confirmed that it was in the Twitter login flow “The threat actor stated this.

Therefore, the userID, which I changed to a username using another api, and other information were exposed during the check for duplication.

Although Twitter closed the issue in January 2022, it has now been established that a number of threat actors leveraged it to scrape users’ private information.

Alon Gal of the threat intelligence firm Hudson Rock, however, has claimed that they independently validated that the samples appear to be authentic.

Please take note that it is currently not possible to completely confirm that there are 400,000,000 users in the database, as Hudson Rock noted in a tweet.

The data itself looks to be valid, according to an independent check, and we will keep track of any developments.

An EU privacy agency, the Irish Data Protection Commission (DPC), has started an inquiry into the recent publication of the 5.4 million user details obtained in 2021 via this vulnerability, so the timing of this breach of Twitter user data is unfortunate for the social media business.

The data of allegedly 17 million users was allegedly scraped using this vulnerability, according to a different threat actor. This leak, however, is still unreleased and not for sale.

Twitter is silent on the subject.