Data of 400 million Twitter users containing private emails and linked phone numbers have reportedly been for sale on the black market.
Cybercrime intelligence firm Hudson Rock highlighted a "credible threat" via Twitter on December 24 in which someone is allegedly selling a private database containing contact information for 400 million Twitter user accounts.
"The private database contains devastating amounts of information, including emails and phone numbers of high-profile users like AOC, Kevin O'Leary, Vitalik Buterin and more," Hudson Rock stated, before adding that:
โIn the post, the threat actor claims that the data was obtained in early 2022 due to a vulnerability in Twitter, as well as attempting to extort money from Elon Musk. to buy the data or face GDPR lawsuits.โ
Hudson Rock said that while he has not been able to fully verify the hacker's claims given the number of accounts, he said that an "independent verification of the data itself appears to be legitimate."
BREAKING: Hudson Rock has discovered that a credible threat actor is selling data on 400,000,000 Twitter users.
The private database contains devastating amounts of information, including emails and phone numbers of high-profile users like AOC, Kevin O'Leary, Vitalik Buterin, and more (1/2). pic.twitter.com/wQU5LLQeE1
โ Hudson Rock (@RockHudsonRock) December 24, 2022
Web3 security company DeFiYield also analyzed 1,000 accounts provided as a sample by the hacker and verified that the data is "real." He also contacted the hacker via Telegram, noting that they are actively wait for a buyer there.
If found to be true, the breach could be a significant cause for concern for cryptocurrency users of Twitter, particularly those operating under a pseudonym.
However, some users have highlighted that it is hard to believe that a breach on such a scale would be large, given that the current number of monthly active users reportedly around 450 million.
At the time of writing, the alleged hacker still has a post on broken advertise the database to buyers. It also has a specific call to action for Elon Musk to pay $276 million to prevent the data from being sold and face a fine from the General Data Protection Regulation agency.
If Musk pays the fee, the hacker says he will delete the data and it will not be sold to anyone else "to prevent a lot of celebrities and politicians from being phished, crypto scams, Sim trading, Doxxing and whatnot."
The data breach in question is understood to come from the "Zero-Day Hack" on Twitter in which an application programming interface vulnerability June 2021 was exploited before it was patched in January this year. The bug essentially allowed hackers to extract private information that they then compiled into databases to sell on the dark web.
Related: Crypto Twitter confused by SBF's $250 million bail and return to luxury
Alongside this alleged database, two others have been previously identified, one consisting of around 5.5 million users and another believed to contain as many as 17 million users, according to a report on November 27. report by Bleeping Computer.
The dangers of such information leaking online include targeted phishing attempts via text and email messages, sim-swapping attacks to obtain accounts, and the doxing of private information.
There are some serious concerns with this.
#1 - The identities of many pseudo accounts will be public, which represents a risk for them
#2 - With a phone number, it's very easy to find anyone's address and banking information.
#3 - Multiple Phishing Attempts Via Cell Phone, Physical Phone, or Email- Haseeb Awan - efani.com (@haseeb) December 25, 2022
People are advised to take precautions, such as making sure two-factor authentication settings are turned on for their various accounts, through an app and not their phone number, as well as changing their passwords and storing them securely. , and also use a private, self-hosted crypto wallet.