According to a hacker, four hundred million Twitter users’ public and private data were allegedly scraped in 2021 using a now-patched API vulnerability. The asking price is US$200,000 for an exclusive sale.
A threat actor going under the name of “Ryushi” is allegedly selling the alleged data dump on the Breached hacking forum, frequently used to sell user data stolen in data breaches.
The threat actor claims to have gathered information from over 400 million distinct Twitter users via a vulnerability. They warned Elon Musk and Twitter to purchase the data to avoid paying a hefty fine for the GDPR privacy regulation.
In a forum post, Ryushi stated, “If you are reading this, Twitter or Elon Musk, you are already risking GDPR penalties over 5.4m breach imaging the fine of 400m users breach source.“
The simplest way to prevent having to pay fines for GDPR violations like Facebook (USD 276 million) (due to 533 million users being scrapped) is to buy this data exclusively.
The API weakness was found in January 2022 due to Twitter’s earlier establishment of a bug reward scheme to encourage crowdsourced security supervision. Eight months after the issue was first brought to the public’s attention, Twitter assured users that it had been resolved and that there was “no evidence to suggest someone has taken advantage of the vulnerability.”
Since the news was revealed earlier this week, Twitter has remained silent. Many of the social media platform’s security specialists and teams, as well as the whole PR division, have been let go since Musk took charge.