Hacker says he is selling Twitter data from 400 million people

Threat actor says they are selling private and public data from 400 million Twitter users. This was done using an API vulnerability that has been fixed. For an exclusive sale, they are asking $200,000

A threat actor called ‘Ryushi,’ who is selling the alleged data dump to the Breached hacking forums. This forum often sells user data that has been stolen during data breaches.

Threat actor claimed that he had stolen the personal data of more than 400 million Twitter users by exploiting a vulnerability. The threat actor warned Elon Musk, Twitter and that the data could lead to large fines under Europe’s GDPR privacy laws.

Ryushi wrote in a forum posting, “Twitter and Elon Musk, if you’re reading this, you already face a GDPR penalty over 5.4m breach imaging fines of 400m users breach source,”

Buy this data only to save $276 million USD on GDPR breaches like Facebook’s (due 533m user being scraped).

Another threat actor that explained how other threat actors could use this data for phishing, crypto scams and BEC attacks.

This forum post contains sample data on 37 celebrities, journalists, politicians, companies, government agencies and corporations. A larger sampling of 1000 Twitter profiles was also leaked.

User profiles include public and private Twitter data including usernames, email addresses, followers, creator date and phone numbers. While all the profiles leaked appear to be associated with email addresses, most do not include phone numbers.

Although most of the data can be accessed publicly by any Twitter user (including phone numbers, email addresses and other information), private information is available.

BleepingComputer was informed by Ryushi, a threat actor that they want to sell Twitter data to one person/Twitter only for $200,000 then to delete it. They will also sell duplicates to several people at $60,000 each sale if an exclusive purchase isn’t made.

They told BleepingComputer they had contacted Twitter in order to get the data ransom.

Data obtained using a now-fixed API vulnerability

BleepingComputer was informed by the threat actor that they had obtained private telephone numbers and email addresses through an API vulnerability Twitter closed in January 2022. This API vulnerability is previously linked to a .

The vulnerability enabled a user to send large numbers of email addresses and phone numbers into the Twitter API, and then receive a Twitter username ID. This ID was then combined with an IP by the threat actor to obtain the public profile data of the users. The result: a Twitter profile that combines private and public data.

I gained access using the same exploit that was used to leak 5.4 million data. I spoke with the vendor and he confirmed that it was in the twitter login flow,” the threat actor said to BleepingComputer.

“So in the check to duplicate it leaked userID, which I converted using another API to username and other information.”

Although Twitter resolved the vulnerability in January 2022 it was now confirmed that multiple threat actors had used the information to steal private data from Twitter users.

BleepingComputer was able confirm that two leaked Twitter accounts are valid, but not the other.

Alon Gal, a threat intelligence firm Hudson Rock, stated that they have independently confirmed that the samples leaked appear to be legitimate.

“Please note:At the moment it’s not possible to verify whether there are actually 400,000,000 users in our database,” Hudson Rock .

We have verified that the data is legitimate. Any developments will be followed up on.

The leak of Twitter user information comes at an unfortunate time. An EU privacy watchdog, Irish Data Protection Commission (DPC) has to the publication of the 5.4 Million user records that were stolen 2021 by this vulnerability.

A second threat actor also claimed that he used the vulnerability to . This leak remains private, however it isn’t being sold.

BleepingComputer reached Twitter to ask more questions about the sale of these data. However, a reply was not immediate.