The attacker claims to have obtained data on 400,000,000 Twitter users and put them up for sale on the darknet. The seller provided a sample of 1,000 accounts as evidence of the authenticity of the database, which includes personal information of famous personalities such as Donald Trump Jr., Vitalik Buterin, Brian Krebs and others.
The seller, named Ryushi, claims that the data was collected through a vulnerability. They include:
- phone numbers of celebrities, politicians, companies, ordinary users.
The seller is also offering Twitter and Elon Musk to buy the data to avoid GDPR lawsuits.
“Twitter or Elon Musk, if you're reading this, you're already at risk of a GDPR fine for 5.4 million violations, implying a fine for leaking 400 million users' data. Your best way to avoid paying a $276 million fine (like Meta did) for violating the GDPR is to buy this data,” Ryushi said.
The seller also disclosed that the sale is accompanied by an escrow service offered by Breached forum administrator under the username "pompompurin".
"It is likely that the data was obtained due to an API vulnerability that allows a threat subject to request any email/phone address and obtain a Twitter profile," explained Alon Gal, co-founder of threat intelligence firm Hudson Rock.
On November 28, 2022, the DPC charged Meta Platforms Ireland Ltd. (MPIL) in violation of GDPR rules - the company did not provide “data protection by default”. As a result of the leak, the attacker was able to exfiltrate the personal data of 533 million users. The commission fined Meta $275 million and also required it to take measures to improve cybersecurity.