A hacker recently made headlines for selling information from 400 million Twitter accounts, and cybersecurity organizations are now investigating whether or not this is true.
Twitter Data Leak
The leak comprises both public and private information that was scraped in 2021 by exploiting a flaw in the application programming interface (API) that has since been patched.
Based on AppleInsider's report, the data dump details were released on the Breached hacking site by user "Ryushi."
Hacker's asking price for the vast collection is $200,000.
The post included example data for many prominent personalities, including Mark Cuban, Donald Trump Jr., Alexandria Ocasio-Cortez, and others, provided by Ryushi.
User profiles may include information such as email addresses, names, usernames, follower counts, and phone numbers.
The hacker declared to BleepingComputer that they were only interested in selling to one customer and would destroy the data once the purchase was complete.
If a buyer can not be found, they will start selling copies to individuals for $60,000.
According to Ryushi, they reached out to Twitter but did not hear back. This is likely due to the company's recent round of layoffs.
The Security Hole
Ryushi told BleepingComputer that the data was gathered by exploiting a flaw in Twitter's API that was rectified in January 2022. A prior data leak in 2021 was also linked to this same vulnerability.
Due to this issue, an attacker may feed phone numbers and email lists into the API and get the Twitter user IDs linked with those numbers and emails.
"I gained access by same exploit used for 5.4m data leak already. Spoke with the seller of it and he confirmed it was in twitter login flow", Ryushi explained.
This, according to the hacker, exposed the user ID in the duplicate check. Then, Ryushi used another API to convert it to a username and some other information.
According to Hudson Rock, a threat intelligence organization, verifying that the database has 400 million people is impossible. However, they did note the data itself seemed valid.
Personal Protection
According to AppleInsider, users of Twitter who are concerned about their account's security may consider changing their email address, particularly if they utilize a service like Hide My Email.
Passwords should be changed often, and a password manager, such as Bitwarden or iCloud Keychain, should be used to create strong passwords.
The next step is to implement two-factor authentication for further security. In addition to a username and password, you will also need a one-time code. How to execute this may be found on Twitter.
Users should be wary of strange communications and not click on links or download files. If, for whatever reason, you get an email with a link to update your Twitter password, you should not click on that link.