In one of the largest Twitter data breaches ever, 400 million Twitter users’ data was up for sale on the dark web. One day earlier, the Irish Data Protection Commission (DPC) announced their investigation into a previous Twitter data leak that affected over 5.4 million users. In late November, a previous breach was found. A sample of data was posted on a hacker forum to prove its authenticity.
User information includes email, name, username, follower count, creation date, and sometimes phone number. In the hacker’s sample data, there are some really high-profile user accounts. Data from the sample includes Alexandria Ocasio-Cortez, SpaceX, CBS Media, Donald Trump Jr., Doja Cat, Charlie Puth, Sundar Pichai, NASA’s JWST account, NBA, Shawn Mendes, and WHO’s Social Media.
Many more high profile users’ data is included in the sample. Most of them will lead to the social media team, but a legitimate data leak could be quite damaging. Alon Gal, co-founder and CTO of Israeli cybercrime intelligence company Hudson Rock, believes that the data was obtained from an API vulnerability that allowed the threat actor to query any email or phone.
In his post, the hacker wrote, “Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breaches. Buying this data exclusively is your best option to avoid $276 million USD in GDPR breach fines like Facebook (due to 533 million users being scraped).” A breach of this scale could blow up in Elon Musk’s face following his sledgehammering of Twitter’s business and policy.