BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Data From 200 Million Twitter Users Offered For Free On Hacker Forum

Following

Just weeks ago, a dataset allegedly containing the email addresses and phone numbers of more than 400 million Twitter users had been put up for sale on the hacker Breached Forums. The dataset, which was posted by a hacker using the screen name "Ryushi," was first uploaded on December 23, 2022.

The hacker had claimed to have collected the data by utilizing a "data scraping technique" and a now-patched vulnerability in Twitter's software in 2021, Cyber Security Hub reported. The hacker demanded $200,000 for an "exclusive" sale of the data and warned that the social media platform could face a massive GDPR fine for failing to protect user data.

"Your best option to avoid paying $276 million USD in GDPR breach fines like Facebook did...is to buy this data exclusively," Ryushi reportedly posted, blaming Twitter for allowing its data to be hacked.

The forum post also included sample data for some 37 celebrities, corporations, journalists, politicians, and government agencies. Those included the likes of Doja Cat, Alexandria Ocasio-Cortez, the World Health Organization (WHO), Shawn Mendes, and Piers Morgan.

Data Now Offered For Free

It was on Wednesday afternoon that researchers at Privacy Affairs also said that they had found evidence that the account details of over 200 million Twitter users had been leaked on the hacker forum for free.

"This new leak appears to be the same as the one reported in December 2022 that affected over 400 million accounts," Veronika Biliavska, content manager at Privacy Affairs, said via an email. "The 200 million number, in this case, resulted from the removal of duplicates."

Ominously, the data is now apparently available for anyone to download for free, instead of being listed for sale at $200,000, as it was in December, Privacy Affairs reported. Some of the popular and known names and entities include Sundar Pichai, Donald Trump Jr., SpaceX, CBS Media, the NBA, and the WHO.

The database was reportedly 63GB and the leaked data included account name, handle, creation date, follower count, and even email address. The researchers warned that the leaked data could be used to hack Twitter users' accounts, and could also be used for social engineering or "doxxing" campaigns.

However, Privacy Affairs analysts determined that phone numbers were not disclosed in this leak.

What Does This Actually Mean For Users?

This latest breach shouldn't be readily dismissed, especially for users posting controversial things under anonymous accounts.

"This leak essentially doxxes the personal email addresses of high profile users, which can be used for spam, harassment and even attempts to hack those accounts. High profile users may end up getting inundated with spam and phishing attempts on a mass scale," said Miklos Zoltan, CEO of Privacy Affairs.

Cybersecurity researcher Steve Hahn, executive vice president at BullWall, also suggested that this breach should be seen as very troubling.

"This threat actor began the monetization of this event with extortion of important people and that is how it's likely to end," warned Hahn. "Back in December, Elon Musk himself was being extorted as the result of this breach: 'Pay our fee or we leak your Twitter data.' Now imagine the doxing that can occur with this data in the wrong hands."

It could certainly be enough to ruin careers and relationships.

"A married public official with an anonymous account following, liking, and commenting on a sex worker's Twitter pics, or a disgruntled employee with an NDA posting incriminating leaks on a former employer," Hahn offered, as just two examples of the types of users who may have their lives upended by the breach.

Even the average user who may have posted highly controversial things could be enough to get them canceled or fired.

"With this data so widely available; any mischievous or nefarious person can collect the names tied to 'anonymous' Twitter handles and begin 'screenshotting' their activity and attempt to extort or embarrass those individuals," Hahn added. "This is a political opposition researcher's dream. For the rest of us, it's a nightmare. It's also a good reminder to use unique passwords for every site."

Follow me on Twitter