The data of 400 million Twitter subscribers are for sale online: Elon Musk asked for ransom

The data archive of all Twitter subscribers (present and past) it was put up for sale by a user named Ryushi, on a popular forum dedicated to selling information from data breaches.

The seller claims that the database is private and has proof of authenticity posted a sample of 1000 accounts which also includes confidential information of prominent users such as Donald Trump JR, ​​security expert Brian Krebs and many others.

Ryushi hopes to be able to conclude an exclusive sale to a single buyer, inviting Twitter and Elon Musk to buy the data to avoid legal penalties imposed by regulations such as the GDPR: “Twitter or Elon Musk, if you are reading this, you are already facing a GDPR fine for breaching the data of more than 5.4 million users, imagine how the fine for disclosing the data of 400 million users. Your best option to avoid paying $276 million in fines for violating the GDPR like Facebook did (due to scraping 533 million users) is to buy this data exclusively,” reads the announcement posted on the forum by Ryushi.

But what data is in the archive put up for sale? The database includes emails and phone numbers of celebrities, politicians, companies and of course ordinary people, information that could be used by both cyber criminals to carry out fraud of various kinds both by nation-state attackers for targeted attacks.

The seller also announced that the sale is covered by the escrow service (in the real estate field it is what is called down payment) offered by the forum administrator, pompompurin: guarantees the seller that the buyer receives the archive only after making the payment and also guarantees that payment is made only when the purchased good is compliant to that declared and verified by the subject offering the escrow.

The claims of the seller cannot be verified at the moment, but the announcement of a new data leak represents yet another bad blow for Twitter which is experiencing a turbulent period due to the change of ownership and some strategic choices made by the management which have caused a mass flight of a part of the staff: only last Friday, the Irish Data Protection Commission has opened an investigation on the social network for a data breach that surfaced in August that reportedly impacted around 5.4 million users.

Assuming that the data is all authentic, how is it possible that a single person managed to get hold of it? This is how Alon Gal, security expert and founder of the Hudson Rock intelligence company answered the question: “It is increasingly likely that the data is valid and that it was probably obtained from a vulnerability in the programming interfaces (API, ed) that allowed attackers to interrogate the platform’s systems to obtain the email and telephone number of any Twitter profile. The flaw is similar to the one exploited in the case of the Facebook data leak which allowed access to the data of 533 million users and which resulted in a $275 million fine to Meta”.

Gal then provided an update on the discovery, according to which Twitter would have launched a sort of contest in which it is argued that the database of 400 million Twitter users announced would actually be the one with 5.4 million in August. Which, however, would be false: “This is easily disproved by comparing the samples in the new leak with the old 5.4 million version which had already leaked publicly – he explained – In the latest archive only 250 accounts out of the 1000 released as evidence belong to the August leak (the count would have been lower if it had been a sample of unverified accounts, ed). I can’t share some sensitive information I have, but as time goes by I’m more convinced that it is a leak of 400 million users and, as always, sadly ended up in the hands of every hacker for free”.

In short, if confirmed, we will be faced with a huge volume of data in the availability of the attackers with Twitter users exposed to all kinds of violations. It is also worrying about the way in which this type of incident is handled by the affected companies, especially by how the event is communicated to the public and users involved in the incident.