A threat actor claims to be selling public and private data of 400 million Twitter users extracted in 2021 using a now-patched API vulnerability. They are asking $200,000 for an exclusive sale.
The alleged data dump is being sold by a threat actor named ‘Ryushi’ on the hacking forum Breached, a site commonly used to sell stolen user data in data breaches.
The threat actor claimed to have collected the data of more than 400 million unique Twitter users using a vulnerability. They warned Elon Musk and Twitter that they should buy the data before it leads to a large fine under Europe’s GDPR privacy law.
“Twitter or Elon Musk, if you’re reading this, you’re already risking a GDPR fine for over 5.4 million violations which is the fine of 400 million user violation sources,” Ryushi wrote in a blog post. forum.
“Your best bet to avoid paying $276 million in GDPR violation penalties like Facebook did (due to 533 million users being removed) is to buy this data exclusively.”
The threat actor too linked to a post explaining how other threat actors could abuse this data for phishing attacks, crypto scams, and BEC attacks.
The forum post includes sample data from thirty-seven celebrities, politicians, journalists, corporations, and government agencies, including Alexandria Ocasio-Cortez, Donald Trump JR, Mark Cuba, Kevin O’Leary, and Piers Morgan. In addition, a larger sample of 1,000 Twitter user profiles was later leaked.
User profiles contain public and private Twitter data, including users’ email addresses, names, usernames, number of followers, creation date, and phone numbers. Although all of the leaked profiles appear to have email addresses associated with them, many do not have phone numbers.
While almost all of this data is publicly accessible to any Twitter user, phone numbers and email addresses are private information.
The threat actor Ryushi told BleepingComputer that they are trying to sell the Twitter data exclusively to one person/Twitter for $200,000 and then they will delete the data. If an exclusive purchase is not made, they will sell copies to multiple people for $60,000 per sale.
When asked if they contacted Twitter to rescue the data, they told BleepingComputer that they contacted Twitter and made calls, but received no response.
Data collected using a now fixed API vulnerability
The threat actor confirmed to BleepingComputer that they harvested the private phone numbers and email addresses using an API vulnerability that Twitter fixed in January 2022 and was previously associated with a 5.4 million user data breaches.
This vulnerability allowed a person to enter large lists of phone numbers and email addresses into a Twitter API and receive an associated Twitter user ID. The threat actor then used this ID with another IP to retrieve the users’ public profile data, creating a Twitter user profile consisting of public and private data.
“I gained access by the same exploit used for the 5.4m data leak. I spoke to the vendor and they confirmed that I was in the Twitter login flow,” the threat actor told BleepingComputer.
“So, in the duplication check, it leaked the user id that I converted using another API into username and other information.”
While Twitter patched the vulnerability in January 2022, it has now been confirmed that multiple threat actors have used it to extract private information from Twitter users.
Regarding this new leak, BleepingComputer has only been able to confirm two of the leaked Twitter profiles as valid.
However, Alon Gal of the threat intelligence firm Hudson Rock has said that they have independently verified that the leaked samples appear legitimate.
“Please note: at this stage it is not possible to fully verify that there are indeed 400,000,000 users in the database.” tweeted Hudson Rock.
“From independent verification, the data itself appears to be legitimate and we will follow up on any developments.”
This Twitter user data leak comes at a bad time for the social media company, as an EU privacy watchdog, the Irish Data Protection Commission (DPC), has started an investigation in the recent publication of the 5.4 million user records stolen in 2021 using this vulnerability.
Another threat actor claimed to have also used this vulnerability to scrape the data of an alleged 17 million users. However, this leak is still private and not for sale.
BleepingComputer reached out to Twitter with further questions about the sale of this data, but a response was not immediately available.