Hacker claims to steal personal data of 400 million Twitter users
Grant Gross
Video Embed
A hacker has claimed to have stolen the personal data of 400 million Twitter users, giving the social media platform even more headaches after its rocky takeover by Elon Musk.
The hacker has offered to sell the data back to Twitter to help it avoid a huge fine from European authorities. “Your best option to avoid paying $276 million in GDPR breach fines like Facebook did (due to 533m users being scraped) is to buy this data exclusively,” the hacker wrote on a hacking forum.
ELON MUSK SAYS HE’LL STEP DOWN AS TWITTER CEO WHEN HE FINDS ‘SOMEONE FOOLISH ENOUGH TO TAKE THE JOB’
If Twitter buys the data back, it will prevent users from phishing attacks, doxxing, and other criminal activity, and it will prevent users from losing trust in the company, the hacker wrote.
The hacker released records of about 1,000 Twitter users, including billionaire Mark Cuban, Rep. Alexandria Ocasio-Cortez (D-NY), and Donald Trump Jr., in an attempt to prove his claims. He claimed to have obtained the personal data in early 2022.
Twitter didn’t immediately respond to a request for comments on the supposed breach. However, some cybersecurity experts said the hacker’s claims appear to be at least partially credible. In part because of the release of user information.
“The 400 million, however, may be inflated, as threat actors are known to inflate the damage that they have done to extract more money,” Greg Kelley, CTO at digital forensics provider Vestige, told the Washington Examiner. “The time it would take to validate that number of stolen records would take too long for a company to investigate in time.”
Twitter has had data leaks in the past, giving this new claim some credibility, added Lou Steinberg, founder and managing partner of the cybersecurity research lab and incubator CTM Insights. Some researchers have compared the data in this breach with prior Twitter breaches and found data that haven’t been disclosed previously, “making this more likely to be a new incident,” Steinberg told the Washington Examiner.
However, the hacker’s claim that Twitter can avoid GDPR fines by paying the ransom is less credible, he noted. “Uber was fined under GDPR despite paying a ransom, which they characterized as a bug bounty, and despite making the attacker sign an NDA,” Steinberg said. “GDPR has disclosure requirements to both regulators and end users, in addition to demanding that reasonable steps be taken to protect data. It’s certainly conceivable that Twitter could be sanctioned even if they pay.”
Kelley urged Twitter users to change their passwords and enable two-factor authentication for accessing their accounts. Twitter users should ignore emails or texts with links to check some information related to their accounts because these links are often phishing attempts, he added.
“Consider any security question that involves personal data that you use on another site to have been compromised,” he added. “Also, be on the lookout for phishing attempts using fake accounts or weaponizing your personal information. It will likely take weeks, however, to weaponize the data for phishing and other uses, but it will come.”
Steinberg agreed that phishing attacks are the biggest danger for Twitter users. “Twitter users should be extra suspicious of links in emails and texts, claims that they have won a prize or owe money, etc.,” he said.
Meanwhile, Steinberg urged Twitter to be transparent about the data loss, if it actually happened, and work to fix any problems the breach exposed.
“Seal the leaks, or your ship will sink,” he said. “Easier said than done, but a comprehensive review of all public-facing APIs is in order.”
The company should also look to add new data exfiltration detection services, he suggested. “It should be hard to extract that much data without setting off an alarm somewhere. It’s like carrying a grand piano out of a house, something should be making noise.”
Musk’s takeover of Twitter has hit several speed bumps after the billionaire laid off thousands of employees and banned several journalists from Twitter who have reported on him. The new claim of a data breach won’t help a company trying to put its best foot forward, some observers said.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
“If a large part of the security operations team was recently let go, there might have been an opportunity to better detect the incident,” Steinberg said. “That said, it’s very likely that both the vulnerability and maybe the incident predates Elon’s ownership, so hard to blame him for that.”
However, the breach creates a “headache” related to Twitter’s reputation, and it’s a potential hit to a company that Musk has claimed is burning cash, he added. Some advertisers have pulled away from Twitter after Musk changed the platform’s moderation rules, and “it remains to be seen if this will cause user loss that further impacts ad revenue.”