Google CEO Sundar Pichai and actor Salman Khan are reportedly among those whose Twitter data has been compromised
Micro-blogging site Twitter is most likely experiencing its largest data breach at present. According to a report by the Israeli cyber intelligence firm Hudson Rock, a hacker claimed to have acquired the data of 400 million Twitter users and sold it on the dark web.
Data was stolen from high-profile users such as Bollywood actor Salman Khan, Donald Trump Jr., India’s Ministry of Information and Broadcasting, Google CEO Sundar Pichai, and others.
How did the Twitter data leak happen?
According to the Hudson Rock investigation, among the 400 million Twitter users’ personal information that has been made available for purchase on the dark web are email addresses, usernames, followers, and even phone numbers. The hacker is said to have posted, “I am selling data of 400+ million unique Twitter users that was scrapped via a flaw, this info is 100% confidential.”
BREAKING: Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data.
The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O’Leary, Vitalik Buterin & more (1/2). pic.twitter.com/wQU5LLQeE1
— Hudson Rock (@RockHudsonRock) December 24, 2022
A few months ago, Elon Musk’s Twitter purportedly had a leak of user data involving over 5.4 million users. The Irish Data Protection Commission is investigating the breach.
Elon Musk appears to be dealing with an endless stream of issues, from people migrating to rival Mastodon due to the contentious new view count feature to the breach. The vendor, Ryushi, a user of data breach forums, claimed that a Twitter vulnerability was used to harvest the data.
What is being done about the Twitter data leak?
According to reports, the hacker offered Elon Musk, the CEO of Twitter, a deal and stated in their post, “Twitter or Elon Musk, if you are reading this post, you are already at risk of GDPR fines for the data leak of over 54 million users. Now fines for data leak of 400 million users. Your best option to avoid paying $2.76 million in CDPR breach fines like Facebook did (due to 533 million users being scraped) is to buy this data exclusively.”
Alon Gal, the Chief Technology Officer and co-founder of Hudson Rock, speculated that the data was obtained using an API flaw that gave the threat actor access to query any email or phone number and obtain a Twitter profile.
Alon Gal claimed that Twitter has incorporated a “readers context” in which they attribute the 5.4 million user data leak in August to the 400 million user Twitter database. “This is easily disproved by comparing the samples in the new leak to the older 5.4m version which had already been leaked publicly. 250 out of 1000 are found. (the count would have been lower had it been a sample of non-verified accounts) I can’t share some sensitive information I have, but as time goes on I am more confident this is a 400,000,000 users leak, and as always, it will unfortunately leak to the hands of every hacker for free.”
The data leak has not yet been confirmed by Elon Musk.