Reports have surfaced that the personal information of 400 million Twitter users, including email addresses and phone numbers, has been available for purchase on the dark web.
On December 24th, cybercrime intelligence firm Hudson Rock tweeted about a “credible threat,” in which someone is allegedly selling a private database including contact information for 400 million Twitter user accounts.
As Hudson Rock put it, “The secret database contains devastating quantities of information including emails and phone numbers of high profile people such as AOC, Kevin O’Leary, Vitalik Buterin & more.”
“In the article, the threat actor claims the data was collected in early 2022 through a hole in Twitter and is also seeking to coerce Elon Musk to buy the data or face GDPR lawsuits,” the report states.
Though Hudson Rock admits it cannot independently verify all of the hacker’s claims due to the sheer volume of accounts involved, it does say that “independent verification of the material itself looks to be real.”
DeFiYield, a Web3 security firm, also checked out the hacker-provided sample of 1,000 accounts and confirmed that the data is “genuine.” The hacker was also contacted via Telegram, where it was revealed that the hacker is actively seeking a customer.
If confirmed, the hack might be quite worrying for Crypto Twitter users, especially those who use aliases.
Some users, however, have pointed out that, with 450 million claimed monthly users as of late, it’s difficult to think such a massive hack actually occurred.
The alleged hacker’s Breached article offering the database for sale is still active as of this writing. The document also includes a demand that Elon Musk pay $276 million to prevent the data from being sold and a fine from the organisation responsible for enforcing the General Data Protection Regulation.
If Musk pays the ransom, the hacker promises to remove the information and not sell it to anyone else “to prevent a lot of celebrities and politicians from Phishing, Crypto frauds, Sim swapping, Doxxing, and other things.”
The compromised information is believed to have originated from the “Zero-Day Hack” on Twitter, which exploited an API flaw discovered in June 2021 and fixed in January of this year. The vulnerability essentially granted hackers the ability to scrape sensitive information, which they then assembled into databases and offered for sale on the dark web.
Targeted phishing via text and email, sim switch attacks to gain access to accounts, and doxing are all possible outcomes of a data leak of this nature.
Also check Twitter 280 Character Limit Will Increase To 4000