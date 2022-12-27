Just when you thought the various controversies surrounding Twitter were abating, a hacker claims to be selling the data of 400 million users.

The data was reportedly captured in 2021 and obtained using an API vulnerability that has since been patched.

The threat actor, who calls himself ‘Ryushi’, has advised Elon Musk and Twitter to buy the data for the asking price of $200,000 or face an even bigger GDPR fine.

Twitter data breach 2022

The threat actor, who appears to have joined the hacking forum Breached in December 2022, wrote:

“Your best option to avoid paying $276 million USD in fines for GDPR infringement, as Facebook did (because 533 million users were dropped), is to buy this data exclusively…after that I will delete this thread and don’t sell this data anymore.”

Sample data was leaked from over 1,000 users, including a number of celebrities, including email addresses, usernames, follower counts, creation dates, and phone numbers of some users.

If an exclusive sale to Twitter (or any other party that wants the information) is not made for $200,000, the hacker claims they will sell the data to multiple buyers for $60,000 each.

Beeping computer (opens in new tab) reports that the API that caused the vulnerability was fixed in January 2022, but multiple threat actors have been confirmed to have used it, putting more than 400 million users at risk of scams and phishing attacks.

Elsewhere, WhatsApp recently came under pressure when a data breach leaked the personal information of more than 500 million users, though it is now believed this was a reuse of an older Facebook leak from 2019.

Tech Radar Pro has reached out to Twitter for further comment on the threat.