A threat actor claims to sell public and private data from 400 million Twitter users scraped in 2021 via a now-patched API vulnerability. The asking price for an exclusive sale is USD 200,000.
The alleged data dump is being sold on the Breached hacking forum by a threat actor named ‘Ryushi,’ a site commonly used to sell user data stolen in data breaches.
Using a vulnerability, the threat actor claimed to have collected data from over 400 million unique Twitter users. They warned Elon Musk and Twitter to buy the data before they face a large fine under Europe’s GDPR privacy law.
“If you are reading this, Twitter or Elon Musk, you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source,” Ryushi wrote in a forum post.
“Buying this data exclusively is your best option to avoid paying USD 276 million in GDPR breach fines like Facebook did (due to 533 million users being scraped).”
The threat actor also included a blog post outlining how other threat actors might use this information for BEC, crypto scams, and phishing attacks.
Sample data for 37 celebrities, politicians, journalists, businesses, and government organizations are included in the forum post. These individuals include Alexandria Ocasio-Cortez, Donald Trump Jr., Mark Cuba, Kevin O’Leary, and Piers Morgan. In addition, a later leak included a larger sample of 1,000 Twitter user profiles.
The user profiles include users’ email addresses, names, usernames, follower count, creation date, and phone numbers, among other public and private Twitter data. Although it appears that all of the exposed profiles have email addresses, many of them lack phone numbers.
Phone numbers and email addresses are private information, even though almost all of this data is publicly accessible to any Twitter user.
According to the threat actor Ryushi, who spoke to BleepingComputer, they are attempting to sell the Twitter data exclusively to Twitter for $200,000 before deleting it. If you don’t buy an exclusive copy, they’ll sell copies to multiple buyers for $60,000 each.
When asked if they called Twitter to demand payment for the data, they admitted to BleepingComputer that they did call Twitter but got no response.