In what can be touted as one of the biggest Twitter data breaches, the data of 400 million Twitter users have been put up for sale on the dark web. The revelation comes a day after The Irish Data Protection Commission (DPC) announced an investigation into an earlier Twitter data leak that had affected over 5.4 million users. The earlier breach was discovered in late November.
According to Alon Gal, co-Founder and CTO of Israeli cybercrime intelligence company, Hudson Rock, the data was probably obtained from an API vulnerability enabling the threat actor to query any email or phone and retrieve a Twitter profile.
The database contains devastating amounts of information, including, emails and phone numbers of high-profile users, Gal noted on his LinkedIn post.
Big Data Breach, Big Names, Bigger Damage
“The threat actor provided a valid sample of 1,000 notable accounts and included the private information of AOC, Brian Krebs, Vitalik Buterin, Kevin O’Leary, Donald Trump Jr., and many more,” Gal wrote in his LinkedIn post about the breach.
When contacted, Gal told The Cyber Express that he discovered the post during his dark web intelligence search. David H. of CZECHMATE CZ, a cyber intelligence service based in Czech Republic, confirmed on LinkedIn that he has verified that the data is indeed put up for sale.
The person who posted the leak note claimed they got the data in early 2022 via an exploit on Twitter. Akin to the Meta-penalty situation, the person in the post addressed Elon Musk, asking him to buy the data to avoid GDPR lawsuits.
At the time of publishing this report, researchers including Gal were working on verifying whether the proposed seller actually has the data of the 400,000,000 Twitter users.
“I can say the data is valid based on the samples provided by the hacker,” Gal told The Cyber Express.
Then Meta Breach, Now Twitter Data Breach
Ahead of the Twitter data breach, Gal was the one who discovered the Meta breach in 2021. “This is extremely similar to the Facebook 533m database that I originally reported about in 2021 and resulted in a $275,000,000 fine to Meta,” Gal wrote in his LinkedIn post about the breach.
Over 533 million Facebook users from 106 countries had their personal information exposed in that incident, including 32 million in the US, 11 million in the UK, and 6 million in India. The data included phone numbers, Facebook IDs, full names, locations, birthdates, bios, and email addresses for some individuals.
PIIs are hot cakes for hackers, which they could use for a host of malicious activities.
The hacker themself shared a note on how the data could be used to make money, Gal told The Cyber Express. We had access to the note and found ambitious and borderline-outlandish claims by the hacker.
Any other government can simply buy this data and spy on their citizens, such as track their location by sending them an email. “If the email must contain (sic) a GIF image that when the victim open it can grab his IP address and thus tracking him,” went the sentence on the note.
“Or just find their phone numbers from here and send them your Pegasus exploit or any other to target them without leaving a trace,” it added along with a host of other, potentially dangerous suggestions of targeted attacks.
Twitter data breach, damages, and GDPR penalty
A breach of this scale could blow up on the face of Elon Musk, who is receiving global flak on the way he sledgehammered through the operation and policy of the extremely influential microblogging site. Moreover, the DPC has already initiated its investigation on the previous breach.
“The DPC corresponded with Twitter International Unlimited Company (‘TIC’) in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance,” said the EU privacy watchdog in a statement on Friday.
In July 2022, a hacker forum post offered to sell the personal information of over 5.4 million Twitter users for $30,000. The data included publicly available information like Twitter IDs, names, login names, locations, and verified status, as well as private information like email addresses and phone numbers.
The hack occurred in December 2021 when a vulnerability in the Twitter API was exposed through the HackerOne bug bounty program. This vulnerability allowed anyone to enter a phone number or email address into the API and link it to a Twitter ID.
GDPR penalty is not new for Twitter. Two years ago, the DPC levied a fine of €450,000 ($550,000) on Twitter due to the company’s failure to promptly inform the DPC of a breach within the 72 hours mandated by the GDPR and for faulty documentation of the incident.