In August of this year, an unknown actor using the username “devil” posted information about 5.4 million Twitter users on BreachForums for sale. This information included email addresses and telephone numbers associated with user accounts. Now, someone with the username “Ryushi” claims to be selling a database containing information on more than 400 million Twitter accounts.
The August-listed database was harvested from Twitter in December 2021. This data collection process exploited a flaw in the Twitter login procedure that exposed the unique user IDs associated with each Twitter account, thereby facilitating the disclosure of email addresses and phone numbers. This vulnerability was patched in January 2022, but not before it was exploited by threat actors.
According to a new post on BreachForums, the database containing the information of 5.4 million Twitter users pales in comparison to a database containing the email addresses and phone numbers of 400 million Twitter accounts. According to cybercrime intelligence firm Hudson Rock, the user who offered the database for sale is a credible threat actor. In addition, the forum post includes two samples of the stolen data, and Hudson Rock asserts that an independent analysis has confirmed the authenticity of these samples.
In an interview with BleepingComputer, the threat actor disclosed plans to sell the data for $200,000 to a single buyer or $60,000 to multiple buyers. The forum post listing the data for sale also includes an attempt to blackmail Twitter and Elon Musk by invoking a recently announced investigation by Ireland’s Data Protection Commission. In exposing the information of 5,4 million of its users, Twitter may have violated multiple General Data Protection Regulation (GDPR) provisions, according to the watchdog.
Twitter may have already been fined for exposing these users’ information, and as the threat actor’s forum post indicates, the release of information about more than 400 million Twitter accounts could increase the likelihood of a fine. The threat actor also lists several malicious uses for the stolen information, suggesting that Twitter users could be subjected to extensive cyberattacks should the database fall into the wrong hands. The forum post requests Elon Musk to purchase the database on behalf of Twitter, with the threat actor promising to delete the database and never sell it again.
Regardless of the fate of the entire database, it appears that the sample data disclosed in the forum post has already enabled a cyberattack on at least one Twitter account. This morning, the account of the television personality Piers Morgan was hacked, resulting in a series of bizarre and offensive tweets. Since Morgan’s email address appears in the sample data posted by the threat actor, another actor likely used this information to gain unauthorized access to Morgan’s Twitter account via phishing. The sample data contains the phone numbers and email addresses of numerous other well-known individuals, businesses, and government agencies, so Morgan’s Twitter account may be only the first of many accounts to be compromised as a result of the release of this information.
Regardless of who ends up purchasing the stolen database that is currently for sale, the appearance of this second database indicates that multiple threat actors may have exploited the Twitter vulnerability that exposed user data, and that similar databases may still be sold or made public. To prevent future phishing attacks, Twitter users may wish to change the email addresses and phone numbers associated with their accounts immediately. Messages that appear to be from Twitter and are sent to the email addresses and phone numbers previously associated with a user’s account can be safely disregarded as phishing attempts by users who take this precaution.