Hacker claims to steal private knowledge of 400 million Twitter customers

A hacker has claimed to have stolen the non-public knowledge of 400 million Twitter customers, giving the social media platform much more complications after its rocky takeover by Elon Musk.

The hacker has provided to promote the information again to Twitter to assist it keep away from an enormous high quality from European authorities. “Your best choice to keep away from paying $276 million in GDPR breach fines like Fb did (because of 533m customers being scraped) is to purchase this knowledge completely,” the hacker wrote on a hacking discussion board.

ELON MUSK SAYS HE'LL STEP DOWN AS TWITTER CEO WHEN HE FINDS 'SOMEONE FOOLISH ENOUGH TO TAKE THE JOB'

If Twitter buys the information again, it'll stop customers from phishing assaults, doxxing, and different felony exercise, and it'll stop customers from shedding belief within the firm, the hacker wrote.

The hacker launched data of about 1,000 Twitter customers, together with billionaire Mark Cuban, Rep. Alexandria Ocasio-Cortez (D-NY), and Donald Trump Jr., in an try and show his claims. He claimed to have obtained the non-public knowledge in early 2022.

Twitter didn’t instantly reply to a request for feedback on the supposed breach. Nevertheless, some cybersecurity consultants mentioned the hacker’s claims seem like not less than partially credible. Partially due to the discharge of consumer data.

“The 400 million, nevertheless, could also be inflated, as risk actors are identified to inflate the harm that they've executed to extract more cash,” Greg Kelley, CTO at digital forensics supplier Vestige, advised the Washington Examiner. “The time it might take to validate that variety of stolen data would take too lengthy for a corporation to analyze in time.”

Twitter has had knowledge leaks up to now, giving this new declare some credibility, added Lou Steinberg, founder and managing associate of the cybersecurity analysis lab and incubator CTM Insights. Some researchers have in contrast the information on this breach with prior Twitter breaches and located knowledge that haven’t been disclosed beforehand, “making this extra more likely to be a brand new incident,” Steinberg advised the Washington Examiner.

Nevertheless, the hacker’s declare that Twitter can keep away from GDPR fines by paying the ransom is much less credible, he famous. “Uber was fined beneath GDPR regardless of paying a ransom, which they characterised as a bug bounty, and regardless of making the attacker signal an NDA,” Steinberg mentioned. “GDPR has disclosure necessities to each regulators and finish customers, along with demanding that cheap steps be taken to guard knowledge. It is actually conceivable that Twitter may very well be sanctioned even when they pay.”

Kelley urged Twitter customers to vary their passwords and allow two-factor authentication for accessing their accounts. Twitter customers ought to ignore emails or texts with hyperlinks to verify some data associated to their accounts as a result of these hyperlinks are sometimes phishing makes an attempt, he added.

“Think about any safety query that entails private knowledge that you just use on one other website to have been compromised,” he added. “Additionally, be looking out for phishing makes an attempt utilizing faux accounts or weaponizing your private data. It is going to probably take weeks, nevertheless, to weaponize the information for phishing and different makes use of, however it'll come.”

Steinberg agreed that phishing assaults are the largest hazard for Twitter customers. “Twitter customers needs to be further suspicious of hyperlinks in emails and texts, claims that they've received a prize or owe cash, and many others.,” he mentioned.

In the meantime, Steinberg urged Twitter to be clear in regards to the knowledge loss, if it truly occurred, and work to repair any issues the breach uncovered.

“Seal the leaks, or your ship will sink,” he mentioned. “Simpler mentioned than executed, however a complete evaluation of all public-facing APIs is so as.”

The corporate also needs to look so as to add new knowledge exfiltration detection providers, he recommended. “It needs to be arduous to extract that a lot knowledge with out setting off an alarm someplace. It is like carrying a grand piano out of a home, one thing needs to be making noise.”

Musk’s takeover of Twitter has hit a number of velocity bumps after the billionaire laid off 1000's of workers and banned a number of journalists from Twitter who've reported on him. The brand new declare of an information breach received’t assist an organization attempting to place its greatest foot ahead, some observers mentioned.

“If a big a part of the safety operations crew was not too long ago let go, there may need been a chance to raised detect the incident,” Steinberg mentioned. “That mentioned, it's extremely probably that each the vulnerability and possibly the incident predates Elon's possession, so arduous responsible him for that.”

Nevertheless, the breach creates a “headache” associated to Twitter’s status, and it’s a possible hit to an organization that Musk has claimed is burning money, he added. Some advertisers have pulled away from Twitter after Musk modified the platform’s moderation guidelines, and “it stays to be seen if it will trigger consumer loss that additional impacts advert income.”