Hacker Demands a $200K Ransom From Twitter After Stealing the Data of 400M Users
An unknown hacker is trying to coerce Twitter into paying for the data of 400 million of its users to avoid a hefty GDPR fine.
An unknown hacker is trying to coerce Twitter into paying for the data of 400 million of its users and avoid a hefty GDPR fine. The threat actor has offered to ‘sell’ the data to Twitter for $200,000, which is significantly less than the Irish Data Protection Commission’s (DPC) $275 million privacy-related penalty to Meta.
The hacker’s post on the Breached hacking forum, dated December 23, 2022, states the offer is the “best option” for the company to avoid paying a fine to a privacy regulator. To convince the company, the hacker directly mentions Twitter chief Elon Musk to “just run a poll on twitter like usual and people will choose their fate.”
A sample of the data posted by a hacker, going by the nickname Ryushi, on Breached was verified to contain emails and phone numbers of high-profile users, including former Australian prime minister Scott Morrison, congresswoman Alexandria Ocasio-Cortez, Mark Cuban, Kevin O’Leary, Sundar Pichai, Ethereum founder Vitalik Buterin, Donald Trump Jr., Steve Wozniak, Piers Morgan, etc.
The data includes publicly available data, such as names, usernames, follower count, and account creation date, and private data, such as email addresses and phone numbers. The emails and phone numbers have been redacted from the leaked sample list assessed by threat intelligence company Hudson Rock.
Twitter 400 Million Sample List | Source: Hudson Rock
See More: Five Reasons Why Data Privacy Compliance Must Take Center Stage in 2023
“From an independent verification the data itself appears to be legitimate and we will follow up with any developments,” noted Hudson Rock, and added. “At this stage it is not possible to fully verify that there are indeed 400,000,000 users in the database.”
Ryushi, who joined Breached in December 2022, said they would delete all data if Twitter forked out $200,000. If not, the hacker told BleepingComputer that they would sell it to multiple buyers for $60,000 per copy.
The threat actor claims to have obtained the on-sale data by exploiting the same Twitter vulnerability that allowed the leak of the data of 5.4 million Twitter users in one instance (revealed in August 2022), of 1.4 million users in another (that came to light in November2022). Twitter patched the vulnerability in January 2022, which is six months after it was discovered. However, it seems threat actors managed to wreak significant damage in that time.
The Twitter vulnerability in question allowed anyone to find the accounts associated with any phone number and email address through the ‘discoverability’ function.
Twitter was handed a $150 million privacy-related fine in May 2022. The company faces another ordeal from the Irish DPC, which on December 23 opened an investigation into the leak of 5.4 million users. The DPC has not stated its intention to probe the leak of 400 million users claimed by Ryushi.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock