Data from 400 million Twitter accounts is at risk of being sold. Here’s what we know so far

• A threat actor claims to be selling public and private data of 400 million Twitter users scrapped in 2021 with an asking price of US$200,000 for an exclusive sale.
• They even warned Elon Musk and Twitter that they should purchase the data before it leads to a large fine under Europe’s GDPR privacy law.

In January 2022, Twitter received a report through its bug bounty program that an API vulnerability allows an attacker to feed data such as email addresses or phone numbers and get an associated Twitter ID for a registered account. By the time Twitter remedied the problem, it was too late: a threat actor had already leveraged the API vulnerability to input millions of email addresses and phone numbers.

It led to a creation of 5.4 million user profiles consisting of public and non-public data. The stolen data was then put up for sale on a hacker forum in July 2022 for US$30,000, with two people allegedly buying it for under the original asking price. Then in September 2022 and November 2022, a threat actor released a JSON file containing the complete set of 5.4 million records scrapped in 2021.

Making matters worse, a threat actor this week came forward with claims to be selling public and private data of 400 million Twitter users scraped in 2021 using the now-fixed API vulnerability. This time, they are asking US$200,000 for an exclusive sale. According to a report by BleepingComputer, the threat actor claimed to have collected the data of over 400 million unique Twitter users using the same vulnerability from 2021. 

The threat actor even warned Elon Musk and Twitter that they should purchase the data before it leads to a large fine under Europe’s GDPR privacy law. “Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source,” wrote Ryushi, the threat actor, in a Breached hacking forum post.

Musk and Twitter are being directly blackmailed, giving them the choice to either pay the price to own back the data or get fined by Europe’s GDPR strict law related to breaches. “Your best option to avoid paying US$276 million in GDPR breach fines like facebook did (due to 533 million users being scraped) is to buy this data exclusively.” 

The threat actor even confirmed to BleepingComputer that they collected the private phone numbers and email addresses using an API vulnerability that Twitter fixed in January 2022 and was previously associated with a 5.4 million user data breach. The vulnerability allows a person to feed large lists of phone numbers and email addresses into a Twitter API and receive an associated Twitter user ID. 

The threat actor then used this ID with another IP to retrieve the public profile data for the users, building a Twitter user profile consisting of public and private data. Although Twitter fixed the vulnerability in January 2022, it has now been confirmed to have been used by multiple threat actors to scrape private information from Twitter users.

Wrong time for Twitter and its data mayhem.

The leak of Twitter user data comes at a bad time for the social media company, since an EU privacy watchdog, the Irish Data Protection Commission (DPC), has begun an investigation into the recent publishing of the 5.4 million user records stolen in 2021 using this vulnerability.

The Irish authority said that after discussions with Twitter on the matter, it considers “one or more provisions” of the EU’s General Data Protection Regulation may have been — and may continue to be — infringed. The authority is the lead watchdog for some of Silicon Valley’s biggest tech firms that have set up an EU base in the country. Under GDPR, it wields the power to levy fines of as much as 4% of a company’s annual sales.

Since Musk’s takeover of Twitter, Europe has been particularly quick to demand the social media platform keeps up with its regulatory demands. In fact, they have been standing by for any signs that Twitter may run afoul of European speech laws. The first warning came from European Commission’s executive vice president Margrethe Vestager, who oversees digital policy for the 27-nation bloc.

“There is a European rulebook, and you should live by it,” she said, in her first interview since Musk took over Twitter. “Otherwise, we have penalties. We have the fines. We have all the assessments and all the decisions that will come to haunt you.” When asked if European regulators are now scrutinizing Twitter, Vestager replied: “Of course we are. We have the responsibility to enforce this legislation. This is what we have promised. Voters, consumers and users have had promises made.” 

When Musk tweeted that “the bird is freed,” around the time of his purchase of Twitter, Thierry Breton replied, “In Europe, the bird will fly by our EU rules.” Breton is a European commissioner for the internal market who is also leading the bloc’s new Digital Services Act. In response to Breton’s warning, Musk did say he is “very much on the same page” as the EU about the new online rules, which — among other things — require large platforms to police illegal content and assess the risk of the harm their services pose, including from disinformation.

---

---

---

---