Click to Skip Ad
Closing in...

Hacker claims to be selling Twitter data stolen from 400 million users

Updated Jan 4th, 2023 12:18PM EST
Twitter smartphone app
Image: Davide Bonaldo/SOPA Images/LightRocket via Getty Images

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

A hacker claims to have collected over 400 million unique users’ data with a now-fixed API vulnerability on Twitter in 2021. As reported by Bleeping Computer, the threat actor named “Ryushi” on the Breached hacking forum is asking $200,00 for an exclusive sale.

They have already warned Elon Musk’s Twitter as “they should purchase the data before it leads to a large fine under Europe’s GDPR privacy law.”

“Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source,” wrote Ryushi in a forum post. “Your best option to avoid paying $276 million USD in GDPR breach fines like Facebook did (due to 533m users being scraped) is to buy this data exclusively.” 

In the post, the hacker explains how this data can be used for phishing attacks and other scams. Ryushi says they were able to collect public and private Twitter data, such as users’ email addresses, names, usernames, follower count, creation date, and phone numbers. While most of this data can be found online, phone numbers and email addresses are private information.

Ryushy acquired data from 37 celebrities, including Alexandria Ocasio-Cortez, Donald Trump JR, Mark Cuba, Kevin O’Leary, and Piers Morgan, Bleeping Computer reports. The hacker told the publication that they are “attempting to sell the Twitter data exclusively to a single person/Twitter for $200,000 and will then delete the data. If an exclusive purchase is not made, they will sell copies to multiple people for $60,000 per sale.”

Background

The hacker has told the publication they have gathered this data by exploiting a vulnerability previously associated with a 5.4 million user data breach and fixed in January 2022. Bleeping Computer was able to verify two of the leaked Twitter profiles. Hudson Rock, an analyst of a thread intelligence company, said the leaked samples “appear legitimate” although he couldn’t “fully verify that there are indeed 400,000,000 users in the database.”

The hacker said they had tried to contact Twitter but didn’t receive an answer. If Twitter doesn’t buy this data, it will likely bring another issue to Elon Musk’s company – even if this time, he didn’t cause this.

José Adorno Tech News Reporter

José is a Tech News Reporter at BGR. He has previously covered Apple and iPhone news for 9to5Mac, and was a producer and web editor for Latin America broadcaster TV Globo. He is based out of Brazil.