400 million Twitter users’ data containing private emails and linked phone numbers has reportedly been for sale on the black market.
Cybercrime intelligence firm Hudson Rock highlighted a “credible threat” via Twitter on December 24, in which someone is allegedly selling a private database containing the contact information of 400 million Twitter user accounts.
“The private database contains devastating amounts of information, including emails and phone numbers of high-profile users such as AOC, Kevin O’Leary, Vitalik Buterin and more,” Hudson Rock stated, before adding:
“In the post, the threat actor claims that the data was obtained in early 2022 due to a vulnerability on Twitter, as well as attempts to blackmail Elon Musk to buy the data or face GDPR lawsuits.”
Hudson Rock said that while it has not been able to fully verify the hacker’s claims given the number of accounts, it said an “independent verification of the data itself appears to be legitimate.”
BREAKING: Hudson Rock Discovers Credible Threat Actor Is Selling 400,000,000 Twitter Users’ Data.
The private database contains devastating amounts of information, including emails and phone numbers of high-profile users such as AOC, Kevin O’Leary, Vitalik Buterin and more (1/2). pic.twitter.com/wQU5LLQeE1
— Hudson Rock (@RockHudsonRock) 24 December 2022
Web3 security firm DeFiYield has also looked at 1,000 accounts provided as a sample by the hacker and confirmed that the data is “correct”. It also reached out to the hacker via Telegram and noted that they are active waiting for a buyer there.
If found to be true, the breach could be a major cause of concern for crypto Twitter users, especially those operating under a pseudonym.
However, some users have highlighted that such a large breach is hard to believe, given that the current number of active monthly users reportedly is around DKK 450 million.
At the time of writing, the alleged hacker still has a post up on it Violated advertising the database to buyers. It also has a specific call to action for it Elon Musk to pay $276 million to avoid having the data sold and being fined by the General Data Protection Regulation agency.
If Musk pays the fee, the hacker says they will delete the data and it won’t be sold to anyone else “to prevent a lot of celebrities and politicians from phishing, crypto scams, sim swapping, Doxxing and other things.”
The compromised data in question is believed to come from the “Zero-Day Hack” of Twitter, where an application programming interface vulnerability from June 2021 was exploited before being patched in January this year. The flaw essentially allowed hackers to scrape private information, which they then compiled into databases to sell on the dark web.
Related: Crypto Twitter Baffled by SBF’s $250 Million Bail and a Return to Luxury
Alongside this suspected database, two others have previously been identified, with one consisting of around 5.5 million users and another believed to contain as many as 17 million users, according to a Nov. 27 report from Bleeping Computer.
The dangers of having such information leaked online include targeted phishing attempts via text and email, sim swap attacks to get hold of accounts and doxing of private information.
There are some serious concerns with this.
#1 – Identities on many pseudo-accounts will be public, which poses a risk to them
#2 – With a phone number, it’s super easy to find someone’s address and bank details.
#3 – Multiple phishing attempts via cell phone, physical or email– Haseeb Awan – efani.com (@haseeb) 25 December 2022
People are advised to take precautions such as ensuring two-factor authentication settings are turned on for their various accounts, via an app and not their phone number, along with changing their passwords and storing them securely, and also using a private, self-hosted crypto wallet.
