There is ongoing wild speculation on the internet across several forums, blogs, news websites, and social media platforms about Twitter users’ database breach following the claims by a threat actor to have obtained the data of 400,000,000 (400 million) Twitter users and is attempting to sell it.
Source: Reddit
The hacker in question, claiming to have gotten his hands on a pharaonic quantity of Twitter accounts, is a member of data breach forums with the pseudonym “Ryushi”. The seller claims the data was scraped via a vulnerability containing emails and phone numbers of celebrities, politicians, companies, normal users, and many OG and unique usernames. This was posted on December 23, 2022, at 01:35 PM.
Source: 4Chan.org
As an appetizer, the seller broadcasts the data of 1,000 personal accounts so potential buyers can verify their authenticity. Among this database released as an appetizer is a piece of information from Donal Trump Jr. and cybersecurity specialist Brian Krebs, among others. But before releasing the information he has collected, Ryushi explains his position thus: “Twitter or Elon Musk, if you read this, you currently risk a GDPR fine of more than 5.4 million violations, so imagine a fine for an infringement affecting 400 million users. Your best option to avoid paying $276 million in fines for GDPR violations like Facebook did (because of 533 million affected users) is to buy that data exclusively.”
Last July, the personal data of 5.4 million users was leaked and was on sale for $30,000. It is to this story that the hacker refers in his message.
But according to Alon Gal, co-founder and chief technical officer of cybercrime intelligence firm Hudson Rock, the leak has nothing to do with the 5.4 million Twitter accounts stolen earlier this year. The sample of 1,000 accounts does not show enough similarities with the 5.4 million accounts. On the other hand, this new leak seems perfectly credible, even if Alon Gal does not confirm the figure of 400 million stolen accounts.
Another case that Twitter and its new CEO would certainly have liked to do without… While waiting for the next one, most certainly.
The Irish Data Protection Commission on Friday announced an investigation into an August incident that saw the contact records of 5.4 million Twitter users dumped on the same forum favoured by Ryushi.
