The hackers, calling themselves ‘Ryushi’, told Elon Musk and Twitter to purchase the data for $200,000 or face an even greater GDPR penalty.
The threat actor, who appears to have attended the Breached hacking forum in December 2022, wrote:
“To avoid paying $276 million in GDPR violation penalties, as Facebook did (after 533 million users’ data was stolen), your best bet is to buy this data. After the sale, I will delete this thread and not sell the data again.”
Bomb on Twitter! Data of 400 million people was stolen!
Sample data of more than 1000 users, including celebrities, such as email addresses, usernames, follower counts, account creation dates, and phone numbers of some users were also leaked as evidence.
Unless a private sale is made to Twitter (or any other party requesting the information) for $200,000, the hacker claims he will sell the data to multiple buyers for $60,000 each.
Bleeping Computer reports that the API that caused the vulnerability was fixed in January 2022, but multiple threat actors have been confirmed to be using it, and more than 400 million users are at risk of fraud and phishing attacks.