Hacker ‘Ryushi’ demands Twitter pay $200,000 ransom to avoid releasing personal data of over 400 million Twitter users
A hacker by the name ‘Ryushi’ claimed to have the data of 400 million Twitter users and is offering it for sale unless Elon Musk pays a ransom. While security firms are still working to verify the authenticity of the data, Ryushi is demanding that Twitter pay a $200,000 ransom to avoid the release.
In a forum post, Ryushi includes sample data of thirty-seven celebrities, politicians, journalists, corporations, and government agencies, including Alexandria Ocasio-Cortez, Donald Trump JR, Mark Cuba, Kevin O’Leary, and Piers Morgan. In addition, a larger sample of 1,000 Twitter user profiles was leaked later.
The user profiles contain public and private Twitter data, including users’ email addresses, names, usernames, follower count, creation date, and phone numbers. Although all of the leaked profiles appear to have email addresses associated with them, many do not have phone numbers.
Ryushi also linked to a post on Archive.org explaining how buyers could profit from the stolen data. He added the data could be used for phishing attacks, SIM swap, crypto scams, BEC attacks, phishing accounts, or crypto users, among others.
The alleged data dump is now being sold on the Breached hacking forum, a site commonly used to sell user data stolen in data breaches. Ryushi told BleepingComputer that he’s looking to sell the Twitter data exclusively to Twitter or a single person for $200,000 and will then delete the data. However, if an exclusive purchase is not made, he will sell copies to multiple people for $60,000 per sale.
Ryushi also warned Elon Musk and Twitter that they should purchase the data before it leads to a large fine under Europe’s GDPR privacy law.
“Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source,” wrote Ryushi in a forum post. “Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively.”
When asked if they contacted Twitter to ransom the data, they told BleepingComputer that they contacted Twitter and made calls but did not receive a response.
Twitter API Vulnerability
Ryushi told BleepingComputer that the data was scraped in 2021 using a now-fixed API vulnerability, which was previously associated with a separate data breach in 2021. The vulnerability lets an attacker or threat actor insert a large feed of phone numbers and email addresses into the API and receive associated Twitter user IDs in response.
“I gained access by same exploit used for 5.4m data leak already. Spoke with the seller of it and he confirmed it was in twitter login flow”, Ryushi said. “So, in the check for duplication, it leaked the userID which i converted using another api to username and other info.”
Although Twitter fixed the vulnerability in January 2022, BleepingComputer confirmed that the vulnerability has been used by multiple threat actors to scrape private information from Twitter users.
According to Alon Gal of threat intelligence company Hudson Rock, it’s impossible at this point to fully verify that there are 400 million users in the database. However, Hudson Rock said that they have independently verified that the leaked samples appear legitimate.
“Please Note: At this stage it is not possible to fully verify that there are indeed 400,000,000 users in the database,” tweeted Hudson Rock. “From an independent verification the data itself appears to be legitimate and we will follow up with any developments.”
In the post, the threat actor claims the data was obtained in early 2022 due to a vulnerability in Twitter, as well as attempting to extort @ElonMusk to buy the data or face GDPR lawsuits.
— Hudson Rock (@RockHudsonRock) December 24, 2022