A threat actor has made the claim that they have gotten the personal information of 400 million users of Twitter and are now trying to sell it. The actor published details about the security breach on a website and has even sent a warning to Twitter and Elon Musk about the incident.
The malicious actor using by the the name Ryushi published a post in which they claimed to have obtained a database that included the emails, phone numbers, and other sensitive information of high-profile people . According to the post written by Ryushi, the actor provided a sample of one thousand accounts to demonstrate the validity of the data, which includes the private information of prominent people such as Sundar Pichai, Steve Wozniak, US politician AOC, Kevin O’Leary, and Donald Trump Jr., amongst others.
To protect themselves from legal action brought on by compliance with GDPR, the vendor has extended an invitation to Twitter and Elon Musk to purchase the data.
“Twitter or Elon Musk, if you are reading this, you are already facing a GDPR penalties over 5.4 million breach imaging the fine of 400 million users breach source,” the message reads. If you want to avoid having to pay penalties for violating the GDPR to the tune of $276 million USD as Facebook did (due to the data of 533 million users being scraped), your best choice is to acquire this data solely reads the promotional materials.
Additionally, the vendor disclosed that the transaction would be protected by the escrow service provided by the administrators of the Breached forum (pompompurin).
Following the publication of news of a significant data breach on Twitter a month ago, the Irish Data Protection Commission (DPC) has begun an investigation into the matter.
This breach impacted approximately 5.4 million users of Twitter and includes private phone numbers and email addresses in addition to information that was scraped publicly available information from the site. The information was accessed via exploiting a vulnerability in Twitter’s API that the company had patched in January of this year.
“The DPC corresponded with Twitter International Unlimited Company (‘TIC’) in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance,” the Irish privacy regulator said in a statement released on Friday.
In addition to this, it said that it was of the opinion that “one or more sections of the GDPR and/or the Act may have been, and/or are being breached in connection to Twitter Users’ personal data.”
The hacker says that the data was collected using an attack in Twitter up to the early part of 2022. The hacker laid forth in great detail the reasons why Musk should take his advice or risk facing many lawsuits in a number of jurisdictions across the world.
It seems to include sensitive information such as the user’s email address and, in some instances, even their phone number. There is no evidence to support the assertion that the remaining material is authentic.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.