Private data of 400 million Twitter users are offered for sale on the darknet

Sicherheit (Pexels, allgemeine Nutzung)[German]The Irish data protection authority DPC has just launched an investigation into a data leak involving 5.4 million Twitter user data (see Irish data protection authority launches investigation into Twitter after data breach). Now a new data breach seems to becomming true. A credible threat actor claims to have the data of 400,000,000 Twitter users and is trying to sell it.


I just came across the following information by Catalin Cimpanu on Mastodon (a reader pointed it out to me, thanks for that).

Twitter Leak with 400 Mio. user data

Alon Gal from the security vendor Hudson Rock made the case public on LinkedIn. A threat actor claims to be in possession of 400 million Twitter account data. The actor is offering them for sale. It says that the database contains a devastating amount of "private" information, including emails and phone numbers of high-ranking users.

Twitter Leak with 400 Mio. user data offered
Post in a forum, click to zoom

The threat actor provided a valid sample of 1,000 well-known Twitter accounts for a check of the data. These records included the private information of AOC, Brian Krebs, Vitalik Buterin, Kevin O'Leary, Donald Trump JR, and many other prominent individuals. These and many influencers are now at risk of being hacked or victims of phishing or fraud, he said.

This becomes particularly explosive as the threat actor states that this data was obtained through a security flaw in Twitter by early 2022. It was known, that the data of 5.4 million stolen Twitter accounts and shared for free in hacker forum, was siphoned via a vulnerability in Twitter. However, this vulnerability was closed in January 2022. It seems, that more thread actors was aware of the vulnerability.


Alon Gal writes that it is becoming increasingly likely that the data is valid and was probably obtained via an API vulnerability. This vulnerability allowed the threat actor to query any email / phone and retrieve a Twitter profile. Hacker One had reported this issue in this post on January 1, 2022.

In the above post, the threat actor directly addresses Elon Musk and Twitter, saying that if the post is read by them, yes, they already risk a GDPR fine because of the 5.4 million Twitter account records that became public. It alludes to the facts mentioned in the blog post Irish data protection authority launches investigation into Twitter after data breach.

It is communicated that one can imagine how high a fine would be with 400 million user records. The best option to avoid a fine would be the exclusive purchase of this data. It is still mentioned that Facebook would have to pay $276 million fine for a breach of the General Data Protection Regulation because 533 million users were siphoned. At the end of November, it was announced that Meta had been fined $276 million for the matter.

The problem with this argument is that the violation of the GDPR already exists with the extraction of the data – Twitter and Musk would not gain much in this respect with the purchase of the database. In addition, it is always unclear whether the data is already in other hands or whether it will end up in them despite the purchase. Let's see when Twitter officially announces this data protection incident, when the users are informed and how this continues. However, the threat actor may have set on a "sinking ship" if the data is all genuine – at least in the event that Twitter hits the wall and goes bankrupt in 2023.

Similar articles:
Twitter data privacy incident (August 2022)
Irish data protection authority launches investigation into Twitter after data breach

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *