New problem to deal with for Elon Musk? A message posted on December 23rd on the most popular data sales forum should catch his attention. One user, under the pseudonym Ryushi, claims to have data from 400 million Twitter accounts. It would be a mix of public data (usernames, account creation dates, etc.) and private data (email addresses and their phone numbers).
Without giving a price, the villain intends to sell the database to a single buyer, and in a threatening tone he suggests Elon Musk become the buyer to avoid trouble. At stake: the social network’s reputation, but also a potential fine from the European regulator. The billionaire owner of the social network, although usually quick to react to the slightest comment on his platform, has so far not commented on the subject despite several attacks.
Compromised celebrity phone numbers
Alon Gal, founder of Hudson Rock and widely followed expert on the subject of data leakage, recalls on his LinkedIn account that “ at present, it is impossible to fully verify that there is actually data from 400 million users in the database, or even that the latter comes directly from Twitter. » Yes, in this environment the villains are numerous because they engage only their words. Unlike legitimate trade, the buyer has no protection if he is cheated of the goods.
Often, crafty bullies compile already leaked data to add volume to their offer. Likewise, just because the data appears to belong to Twitter doesn’t necessarily mean the company is to blame for the leak: It’s not uncommon for subcontractors to leak their customers’ data after a cybersecurity incident. .
In order to convince the members of the forum of the correctness of his remarks, Ryushi therefore attached to his message a sample of 1,000 posts, a common practice in this environment. It includes data from celebrities such as singer Shawn Mendes and basketball player Stephen Curry, data from large organizations such as NASA, and data from political figures such as Republican Donald Trump Jr. and Democrat Alexandria Ocasio-Cortez.
By displaying these well-known names, the criminals can both draw attention to their advertisements and increase efforts. With good reason: the presence of information about rich and influential personalities increases the potential gains for hackers exploiting the database. But Ryushi already has a buyer in sight: Elon Musk, although the latter has still not responded to the proposal.
Extortion to fine
” Twitter or Elon Musk if you’re reading this. You are already at risk of being fined for breaching the GDPR after the leak of 5.4 million pieces of data earlier this year. Imagine the size of the fine for a leak affecting 400 million users or 75 times more people “, he writes. In a threatening tone, the bully recalls that at the end of November, Facebook collected a fine of 265 million euros from the Irish data authority for violating the GDPR. One of the functions of the social network had made it possible for bullies to siphon data, and especially phone numbers, of more than 533 million users in 2019. This data was again found in the wild in 2021, which had triggered a new scandal.
Ryushi therefore offers the billionaire to buy the database himself to cover up the affair. If the businessman complies, the hacker promises to delete his posting and never sell the database again. ” You will thus protect many celebrities and political figures “, he says, before providing a long list of malicious acts they could be the target of thanks to the data.
Specifically, the phone numbers and emails in the database could be useful for sending phishing attempts: criminals would send personalized messages – as they would know the identity of the recipients – in an attempt to trick their victims into installing malware or stealing their credentials. In other words, the information in the database is not enough to steal accounts (Twitter, Instagram…) or money from the people in question, but it provides a starting point for fraudsters.
To complete his pitch, Ryushi also blackmails his reputation. ” It is the company’s fault if this data is leaked (…). Influencers will no longer trust you, which would be a shame given the current projects for Twitter “, he asserts. The decline of advertisers on Twitter and in great difficulty with Tesla’s shareholders, Elon Musk does not need another scandal. Even if he could blame the previous administration.
A leak dated January
Ryushi actually claims to have recovered the data at the beginning of the year 2022, thanks to a vulnerability that has already been talked about. In July, another person put a similar database up for sale, but with “only” 5.4 million accounts, for $30,000. Inside was mostly public data, but also a number of phone numbers and email addresses.
The data, dated December 2021, had been collected thanks to a bug in the Twitter API – the tool that allows websites and other software to retrieve public data from the social network (for example, for advertising purposes or to embed tweets). But an operational flaw allowed hackers, by sending random phone numbers and email addresses to the API, to recover the associated Twitter ID. Thanks to this identifier (which takes the form of a sequence of numbers), the thugs could then retrieve all kinds of public information on the account using the API. In other words, the API did not directly provide private data, but allowed to discover it indirectly. The bug had been reported to Twitter by an ethical hacker via Hacker One’s bug bounty program and fixed immediately.
A month after the sale of the data, the social network had confirmed the existence of the bug and its connection to the database. Finally, the database of 5.4 million accounts was released for free in September by another person, and then again in late November. The Bleeping Computer then revealed that several malicious actors had exploited the flaw to steal private information, and Ryushi would likely be one of them. According to Alon Gal, only 50 of the 1,000 records in the sample were in the database of 5.4 million records. What to crack a buyer?