A hacker has recently claimed to have the data of 400 million Twitter accounts and is offering it for sale, although security firms are working to verify the data.
The data dump, posted on the Breached hacking forum by a user named "Ryushi," allegedly contains public and private data scraped in 2021 using an API vulnerability that has since been fixed. They're asking $200,000 for the trove.
Ryushi included sample data in the post for some public figures, including Mark Cuban, Donald Trump Jr., Alexandria Ocasio-Cortez, and others. Email addresses, names, usernames, follower counts, and phone numbers are among the data contained in the user profiles.
The hacker told BleepingComputer that they wanted to sell the data exclusively to one buyer and would delete the data afterward. If a buyer isn't found, they will sell copies to multiple people for $60,000 each. Ryushi said they contacted Twitter but didn't receive a response, likely because specific teams within the company have been laid off.
The API vulnerability
Ryushi confirmed to BleepingComputer that they collected the data using an API bug that Twitter fixed in January 2022. The same vulnerability was previously associated with a separate data breach in 2021.
The vulnerability lets an attacker insert lists of phone numbers and email addresses into the API and receive associated Twitter user IDs in response.
"I gained access by same exploit used for 5.4m data leak already. Spoke with the seller of it and he confirmed it was in twitter login flow", Ryushi said. "So, in the check for duplication, it leaked the userID which i converted using another api to username and other info."
According to threat intelligence firm Hudson Rock, it's currently not possible to fully verify that there are 400 million users in the database. However, they said the data itself does appear to be legitimate.
Please Note:At this stage it is not possible to fully verify that there are indeed 400,000,000 users in the database.— Hudson Rock (@RockHudsonRock) December 24, 2022
From an independent verification the data itself appears to be legitimate and we will follow up with any developments.
How to stay safe
For maximum security, Twitter users should change their account's email address, especially by using a service such as Hide My Email. It's also important not to reuse passwords, and generate complex ones using a password manager such as Bitwarden or iCloud Keychain.
Adding an extra layer of security with two-factor authentication should be the next move. It requires a special one-time code to log into an account, in addition to the username and password. Twitter has instructions on how to do so.
Users should also be aware of emails that look suspicious and avoid clicking on links or opening attachments. For example, if an email contains a link to change a Twitter password, people should manually navigate Twitter's website instead and change login information in account settings instead.