A hacker is offering data of some 400 million Twitter accounts for sale that is said to have been scraped via an application programming interface vulnerability.
Elon Musk, the new CEO of Twitter, is dealing with a lot of things right now, but a new one that seems to be the biggest just came up. A hacker named Ryushi said that he or she had access to the personal information of more than 400 million Twitter users. As proof, the hacker posted a sample of data with names like Donald Trump Jr., Steve Wozniak, Charlie Puth, Salman Khan, Sundar Pichai—the CEO of Google—Bollywood actor Salman Khan, and more. The hacker also links to a .CSV file with the same information for an additional 1,000 Twitter users as further proof.
The former Australian prime minister Scott Morrison appeared to be among 400 million Twitter users whose partial data was leaked, along with celebrities including the model Cara Delevingne and US politician Alexandria Ocasio-Cortez.
Morrison’s Twitter account was included in a sample of data released by an alleged cybercriminal last week.
Morrison’s only public email address was mentioned in the hack, and his phone number was not listed, which may limit any potential harm.
The hacker hopes that Elon Musk will buy the data so he won’t get fined by the EU for a GDPR data breach, which could cost up to $276 million. He says some of these private data are emails and phone numbers.
The hacker claimed the data had been “scraped” from Twitter and included emails and phone numbers of celebrities, politicians, companies, and normal users. He offered it for sale exclusively to Twitter for $200,000 in order to avoid paying GDPR fines.
He or she has also posted another link and said that it doesn’t show even 1% of the information he has.
Alon Gal, co-founder and chief technology officer at Israel-based cybercrime intelligence firm Hudson Rock, says that the data posted by the hacker has been checked by a third party and found to be real. The hacker says he or she got the information by taking advantage of a flaw, but Gal thinks it came from an API flaw that let the hacker “query any email/phone and get a Twitter profile.”
The news comes after the Irish Data Protection Commission (DPC) started looking into a Twitter data leak that put the private information of more than 5.4 million users at risk last year. It had information like email addresses, phone numbers, and Twitter handles.
In August, Twitter admitted that a vulnerability in its API systems identified in January had allowed people to discover what, if any Twitter account was associated with a phone number or email address. By exploiting the vulnerability, people could patch together a data record of both public and private information – such as the private phone numbers and emails of high profile users.
The bug was caused by an update to Twitter’s code in June 2021. It was patched once identified, but in July 2022, Twitter learned “a bad actor had taken advantage of the issue before it was addressed”.
Twitter has not said anything official yet.