Stolen info on 400m+ Twitter accounts seemingly up for sale
Plus: Cracked Piers Morgan spews offensive tweets, not the usual kind
Updated A miscreant this Christmas weekend said they are willing to sell public and private info on more than 400 million Twitter accounts.
This data is said to include info that anyone can find out – follower counts, account creation date, etc – as well as private details, such as email addresses and phone numbers of tweeters.
The records were apparently scraped in 2021 via a security flaw fixed earlier this year in a backend API that the Twitter Android app used.
The Irish Data Protection Commission is still probing that earlier snafu – and specifically, that the hole was used to obtain data on at least 5.4 million Twitter users worldwide – which may make the biz regret having an Emerald Isle office.
It's thought that a whole bunch of miscreants exploited the API to extract info on millions of users.
Posting to the Breached cybercrime forum last Friday, someone calling themselves Ryushi claimed to obtained data on 400 million-plus accounts, seemingly via the API vulnerability, and is putting it up for sale.
- Twitter will lose 32 million users by end of 2024, Insider Intelligence predicts
- 'You can Google Checkout any time you like, but you can never leave...'
- Elon Musk to step down as Twitter CEO: Help us pick his replacement
- Elon Musk starts poll with one question: Should I step down as head of Twitter?
In a poorly worded threat, and a very unwelcome Christmas gift for Twitter boss Elon Musk, the miscreant suggested the billionaire cough up the cash or risk fat fines for allowing even more information to leak out.
"Twitter or Elon Musk if you are reading this, you are already risking a GDPR fine over 5.4m breach, imaging [sic] the fine of 400m users breach source," the scumbag wrote. "I will advice [sic] you, your best option to avoid paying $276 million USD in GDPR breach fines like Facebook did (due to 533m users being scraped) is to buy this data exclusively."
The individual meanwhile told Bleeping Computer a copy of the database can be exclusively bought for $200,000, or $60,000 per buyer on a non-exclusive basis.
As infosec outfit Hudson Rock pointed out, the database includes details of normal users as well as celebrities, politicians, cryptocoin types, and so on.
We wouldn't automatically assume, though, that all 400 million records in the database are legit and correct: if for some reason you wanted to buy this data, caveat emptor.
Possibly coincidentally, notorious British blowhard Piers Morgan has had his Twitter account cracked by a group calling themselves The Chuckling Squad.
They posted a stream of obscene tweets including sexual references to the late Queen and others, and if they have access to his direct massages, this could get ugly for the newspaper editor-turned-whatever-the-fsck-he's-supposed-to-be-now. His account is currently blank (insert joke here). ®
Updated to add on January 11
Twitter now claims the 400 million records were not obtained through a vulnerability and were instead cobbled together from other sources. See our update here.