New Twitter data leak: 400M user details for sale

Things continue to get worse for Twitter, with a new data leak of 400 million users’ data for sale. The leak includes personal user data on celebrities, government officials, and businesses. The hacker responsible, known only as “Ryushi”, is asking for $50,000 in payment.

The announcement came on Breached, a renowned hacker forum. Included in the leak are Twitter handles, usernames, email addresses, and phone numbers according to cybernews.

The data was acquired by scraping, utilizing an undisclosed vulnerability, according to the hacker. Scraping is used to acquire large sets of data from platforms, utilizing vulnerabilities such as an application programming interface (API).

The hacker is taunting Twitter and Elon Musk, Twitter’s new owner and CEO, stating that they should purchase the data exclusively before facing a huge GDPR breach fine.

“Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging (sic) the fine of 400m users breach source,” wrote Ryushi on Breached.

“Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively.”

The forum post brags that the celebrity and prominent users included in the data breach are Alexandria Ocasio-Cortez, Donald Trump Jr, Mark Cuban, Kevin O’Leary, and Piers Morgan.

While several items of the data included in the breach are publicly available, information such as email addresses and phone numbers are not.

A history of GDPR violations for social media

As the hacker known as “Ryushi” warned, GDPR violation fines are a legitimate concern for social media platforms and companies.

Facebook-owned by Meta was hit with a roughly $275 million (USD) fine for a similar data scraping breach back in November. Meta originally downplayed the breach, claiming that it was “old data” for sale online. It also stated that it had already fixed the vulnerabilities utilized to acquire the data.

However, the Irish Data Protection Commission (DPC) disagreed, and concluded that “the material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default.”

Meta has a history of GDPR violations, with Meta-owned WhatsApp fined $267 million (USD) for transparency breaches in 2021.

More cybersecurity pain for Twitter

Twitter continues to struggle with security concerns, no doubt a ripple effect after mass layoffs and resignations from the company. This is yet another breach and data leak for Twitter in recent months alone. Over 5.4 million user data records were leaked just in November.

As a result, the Twitter exodus continues—especially amongst the “infosec” or information security community—to Mastodon.