An Allegedly Credible Hacker Is Trying To Sell Stolen Data Of 400M Twitter Users
Back in August of this year, an unknown actor operating under the username “devil” posted information relating to 5.4 million Twitter users for sale on BreachForums. This data included the email addresses and phone numbers tied to users’ accounts. Now, someone with the username “Ryushi” claims to be selling a similar database containing information for over 400 million Twitter accounts.
The database listed for sale in August was scraped from Twitter in December 2021. This data collection process leveraged a vulnerability in the Twitter login process that exposed the unique user IDs assigned to each Twitter account, facilitating the further exposure of email addresses and phone numbers. This vulnerability was fixed in January 2022, but not before threat actors managed to exploit it.
The database listed for sale in August was scraped from Twitter in December 2021. This data collection process leveraged a vulnerability in the Twitter login process that exposed the unique user IDs assigned to each Twitter account, facilitating the further exposure of email addresses and phone numbers. This vulnerability was fixed in January 2022, but not before threat actors managed to exploit it.
If a new post on BreachForums is to be believed, the database containing 5.4 million Twitter users’ information pales in comparison to a database now up for grabs that is said to contain the email addresses and phone numbers of 400 million Twitter accounts. According to Hudson Rock, a cybercrime intelligence company, the user who posted the database for sale is a credible threat actor. Additionally, the forum post contains two samples of the stolen data, and Hudson Rock claims that an independent analysis has verified the legitimacy of this data.
In an interview with BleepingComputer, the threat actor revealed an intention to sell the data to a singular buyer for $200,000 or to multiple buyers for $60,000 each. The forum post listing the data for sale also includes an attempt to extort Twitter and Elon Musk by pointing to an investigation recently announced by Ireland’s Data Protection Commission. According to the watchdog, Twitter may have violated multiple General Data Protection Regulation (GDPR) provisions in exposing the information of 5.4 million of its users.
Twitter may already be fined for exposing these users’ information, and, as the threat actor’s forum post points out, the release of information relating to over 400 million Twitter accounts could make such a fine even more likely. The threat actor also lists a number of perverse use-cases for the stolen information, suggesting that Twitter users may undergo extensive cyberattacks if the database were to fall into the wrong hands. In light of these threats, the forum post asks Elon Musk to buy the database on behalf of Twitter, with the threat actor promising to delete the database and never sell it again.
In an interview with BleepingComputer, the threat actor revealed an intention to sell the data to a singular buyer for $200,000 or to multiple buyers for $60,000 each. The forum post listing the data for sale also includes an attempt to extort Twitter and Elon Musk by pointing to an investigation recently announced by Ireland’s Data Protection Commission. According to the watchdog, Twitter may have violated multiple General Data Protection Regulation (GDPR) provisions in exposing the information of 5.4 million of its users.
Twitter may already be fined for exposing these users’ information, and, as the threat actor’s forum post points out, the release of information relating to over 400 million Twitter accounts could make such a fine even more likely. The threat actor also lists a number of perverse use-cases for the stolen information, suggesting that Twitter users may undergo extensive cyberattacks if the database were to fall into the wrong hands. In light of these threats, the forum post asks Elon Musk to buy the database on behalf of Twitter, with the threat actor promising to delete the database and never sell it again.
Regardless of the fate of the entire database, it appears that the sample data revealed in the forum post may have already facilitated a cyberattack on at least one Twitter account. Earlier today, the account belonging to the television personality Piers Morgan was hacked, leading to a series of wild and offensive tweets from the account. Since Morgan’s email address appears in the sample data posted by the threat actor, it’s likely that another actor leveraged this information to gain unauthorized access to Morgan’s Twitter account by way of a phishing attack. The sample data includes the phone numbers and email addresses of many more popular figures, companies, and government organizations, so Morgan’s Twitter account may be only the first of many casualties resulting from the release of this information.
No matter who ends up buying the stolen database that is currently for sale, the appearance of this second database tells us that multiple threat actors may have leverage the Twitter vulnerability that exposed users’ information, and there may still be similar databases yet to be sold or revealed to the public. Thus, Twitter users may want to go ahead and change the email addresses and phone numbers associated with their accounts now to protect against future phishing attacks. For users who opt to take this step, messages that appear to be from Twitter sent to the email addresses and phone numbers previously associated with users’ accounts can be safely ignored as phishing attempts.
No matter who ends up buying the stolen database that is currently for sale, the appearance of this second database tells us that multiple threat actors may have leverage the Twitter vulnerability that exposed users’ information, and there may still be similar databases yet to be sold or revealed to the public. Thus, Twitter users may want to go ahead and change the email addresses and phone numbers associated with their accounts now to protect against future phishing attacks. For users who opt to take this step, messages that appear to be from Twitter sent to the email addresses and phone numbers previously associated with users’ accounts can be safely ignored as phishing attempts.
