A menace actor claims to be promoting private and non-private information of 400 million Twitter customers scraped in 2021 utilizing a now-fixed API vulnerability. They’re asking $200,000 for an unique sale.

The alleged information dump is being bought by a menace actor named ‘Ryushi’ on the Breached hacking discussion board, a web site generally used to promote consumer information stolen in information breaches.

The menace actor claimed to have collected the info of 400+ million distinctive Twitter customers utilizing a vulnerability. They warned Elon Musk and Twitter that they need to buy the info earlier than it results in a big superb beneath Europe’s GDPR privateness legislation.

“Twitter or Elon Musk if you’re studying this you’re already risking a GDPR superb over 5.4m breach imaging the superb of 400m customers breach supply,” wrote Ryushi in a discussion board put up.

“Your only option to keep away from paying $276 million USD in GDPR breach fines like fb did (attributable to 533m customers being scraped) is to purchase this information completely.” 

The menace actor additionally linked to a post explaining how this information could possibly be abused by different menace actors for phishing assaults, crypto scams, and BEC assaults.

The discussion board put up contains pattern information for thirty-seven celebrities, politicians, journalists, companies, and authorities businesses, together with Alexandria Ocasio-Cortez, Donald Trump JR, Mark Cuba, Kevin O’Leary, and Piers Morgan. As well as, a bigger pattern of 1,000 Twitter consumer profiles was leaked later.

The consumer profiles comprise private and non-private Twitter information, together with customers’ e-mail addresses, names, usernames, follower rely, creation date, and telephone numbers. Though all the leaked profiles seem to have e-mail addresses related to them, many should not have telephone numbers.

Whereas virtually all of this information is publicly accessible to any Twitter consumer, telephone numbers and e-mail addresses are personal data.

The menace actor Ryushi informed BleepingComputer that they’re making an attempt to promote the Twitter information completely to a single particular person/Twitter for $200,000 and can then delete the info. If an unique buy will not be made, they may promote copies to a number of individuals for $60,000 per sale.

When requested in the event that they contacted Twitter to ransom the info, they informed BleepingComputer that they contacted Twitter and made calls however didn’t obtain a response.

Information collected utilizing now-fixed API vulnerability

The menace actor confirmed to BleepingComputer that they collected the personal telephone numbers and e-mail addresses utilizing an API vulnerability that Twitter fastened in January 2022 and was beforehand related to a 5.4 million user data breach.

This vulnerability allowed an individual to feed massive lists of telephone numbers and e-mail addresses right into a Twitter API and obtain an related Twitter consumer ID. The menace actor then used this ID with one other IP to retrieve the general public profile information for the customers, constructing a Twitter consumer profile consisting of private and non-private information.

“I gained entry by similar exploit used for five.4m information leak already. Spoke with the vendor of it and he confirmed it was in twitter login stream”, the menace actor informed BleepingComputer.

“So, within the examine for duplication it leaked the userID which i transformed utilizing one other api to username and different data.”

Whereas Twitter fastened the vulnerability in January 2022, it has now been confirmed to have been utilized by a number of menace actors to scrape personal data from Twitter customers.

As for this new leak, BleepingComputer has solely been capable of verify two of the leaked Twitter profiles as legitimate.

Nevertheless, Alon Gal of menace intelligence firm Hudson Rock has stated that they independently verified that the leaked samples seem legit. 

“Please Be aware:At this stage it’s not doable to totally confirm that there are certainly 400,000,000 customers within the database,” tweeted Hudson Rock.

“From an unbiased verification the info itself seems to be legit and we’ll observe up with any developments.”

This leak of Twitter consumer information comes at a foul time for the social media firm, as an EU privateness watchdog, the Irish Information Safety Fee (DPC), has begun an investigation into the current publishing of the 5.4 million consumer data stolen in 2021 utilizing this vulnerability.

One other menace actor claimed to have additionally used this vulnerability to scrape the data of an alleged 17 million users. Nevertheless, this leak remains to be personal and isn’t being bought.

BleepingComputer reached out to Twitter with additional questions concerning the sale of this information, however a response was not instantly obtainable.