Perhaps the top story this past week involves a sales offering on a popular hacking-related forum. The seller, who first joined the forum in December, has listed information on 400 million Twitter users for sale. No price is specified in the listing.
The data, that were allegedly scraped due to a vulnerability, include email, name, username, follower_count, creation_date, and phone_number. The seller provides a sample on the forum that involves well-known individuals.
And then they provide an option for Twitter or Elon Musk to buy the data from them:
Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source
Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively,
Which can go through the official owner middle man on here @pompompurin or admin @Baphomet after that I will delete this thread and will not sell this data again.
And data will not be sold to anyone else which will prevent a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing and other things that will make your users
aLose trust in you as a company and thus stunt the current growth and hype that you are having also just imagine famous content creators and influencers getting hacked on twitter that will for sure Make them ghost the platform and ruin your dream of twitter video sharing platform for content creators, also since you Made the mistake of changing twitter policy that got an immense backlash
From content creators this is a sensitive time, which will make things far worse and if you are unsure just run a poll on twitter like usual and people will choose their fate, because at the end of the
Day it’s the company’s fault that this data was breached.
So far, no one has challenged the accuracy of the sample of well-known users, and that may be significant.
Of note, the scraping is not current. It appears to be part of a scraping incident previously addressed and disclosed by Twitter. At the time, Twitter wrote:
We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.
So Twitter had no idea that 400 million users had been affected?
On December 23, the day the sales listing appeared, the Irish DPC issued a statement that it was launching an investigation into earlier claims about 5.4 million Twitter users’ data being available on the internet after the scraping incident mentioned above. If the DPC is seeing the 5.4 million breach as a potentially finable offense, the seller is using that as leverage to try to get Musk and Twitter to pay to buy the data exclusively.
Of course, even if Musk or Twitter were to buy the data exclusively, the word of a criminal cannot be trusted, and the DPC might still take action against Twitter, as might the FTC.
But for now, it’s important to note that there has been no response from Twitter either confirming or denying that the data are real.
Update December 27: There is still no response from Twitter, but Lawrence Abrams of Bleeping Computer has a report that involves more information provided by Ryushi. According to the seller’s statements to Abrams, the scraped data was combined with another IP address to obtain more public info on individuals to create the profiles. So these data are presumably not from a single scrape or just Twitter but represent a combination of sources. Read more at BleepingComputer.