Posted on January 1, 2023 at 9:13 PM
January 2023 kicked off with a scandal involving Twitter, where a hacker emerged with claims of having data that belongs to 400 million accounts. According to the hacker, they can either destroy the data, or hand it over. In exchange for a more preferable outcome, the hacker demands a $200,000 payment.
For the moment, the hacker is known only as Ryushi, and they have request a $200,000 payment in exchange for the data. According to some reports, the data might even include details involving certain celebrities.
Given the size of the stolen data, this is being treated as a massive security concern, which led the Data Protection Commission of Ireland to get involved with the matter. The DPC stated that it intends to evaluate Twitter’s compliance with data protection rules, and assess if the company is compliant with the relevant regulations.
For the time being, Twitter itself did not comment on the hacker’s claim, and it did not say what it plans to do about the request.
According to the hacker, the data that they stole is quite extensive, and it includes personal information, including emails and phone numbers, some of which belong to major celebrities, politicians, and other public figures. It is worth mentioning that the size of the haul remains unconfirmed, apart from the hacker’s own word.
So far, they have released a small sample of it to the public, in order to prove that the claim is genuine. According to the BBC, the released data includes information belonging to the US Congresswoman Alexandria Ocasio-Cortez. Reports also indicate that the data includes information belonging to the broadcaster, Piers Morgan. Morgan also had his Twitter account hacked recently, so the fact that his information is involved might not be much of a surprise.
The awareness of the hacked data sale was initially raised by the cybercrime intelligence firm, Hudson Rock. The company’s CTO stated that there are numerous clues that support the hacker’s claims, apart from the sample itself.
The chief technology officer also hinted towards a different breach seen in March last year, but he noted that this data appears to be a product of a different security breach. The March breach resulted in the publication of data belonging to 5.4 million Twitter accounts. However, if the hacker’s claim is correct, the March data dump might be only a small fraction of the data that was stolen this time.
According to the hacker, the stolen data was collected thanks to a problem with Twitter’s system. They were able to take advantage of the problem and breach Twitter’s defenses. The flaw in the system allows computer programs to connect to the social platform.
Earlier, on December 23rd, the DPC said that it was investigating a Twitter breach. Whether this is the same breach as the one that DPC was (and might still be) investigating, remains unknown. However, according to the hacker, they are well aware of the damage that selling or dumping this data can do.
So far, many have tried to reach out to Twitter, as well as Elon Musk, the company’s new CEO. Until now, Musk has been very active on the platform, but he failed to reply to the tweets requesting his comment. One such inquiry came from the leading cyber-security reporter, Brian Krebs, who noted that the breach likely took place even before Musk took over.
However, the BBC report also says that the DPC has engaged with Twitter in this inquiry. As for the hacker, they offered Twitter the opportunity to purchase the data “exclusively,” in order to prevent anyone else from getting it.
Ryushi even told Twitter and Musk that they are risking a GDPR fine due to the March breach, inviting them to “imagine the fine of 400m users breach source.” He added that Twitter’s best option to avoid paying $276 million in GDPR breach fines (like Facebook did) would be to pay $200,000 to Ryushi directly.