A hacker claiming to have a database of 400 million Twitter users’ info is reportedly trying to sell it on the black market.

Among those supposedly for sale are Ethereum co-founder Vitalik Buterin’s private contact information, as well as that of shark tank host Kevin O’Leary and Mark Cuban. The data of 400 million Twitter users, including private emails and phone numbers, is said to be for sale on the black market. On December 24, cybercrime intelligence outfit Hudson Rock raised a “credible threat” through Twitter, claiming that someone is selling a private database including contact information for 400 million Twitter user accounts.

What does the private database include?

“The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O’Leary, Vitalik Buterin & more,” Hudson Rock explained, before adding:

“In the post, the threat actor claims the data was obtained in early 2022 due to a vulnerability in Twitter, as well as attempting to extort Elon Musk to buy the data or face GDPR lawsuits.”

While Hudson Rock has not been able to completely verify the hacker’s claims due to the large number of accounts, it has said that a “independent verification of the data itself appears to be legitimate.”

Is it a threat to Crypto Twitter users?

DeFiYield, a Web3 security firm, also examined 1,000 accounts provided by the hacker as a sample and confirmed that the data is “genuine.” It also contacted the hacker via Telegram, noting that they are actively looking for a buyer there. If confirmed, the hack might be a major source of concern for Crypto Twitter users, particularly those who use a pseudonym. However, several users have stated that such a large-scale breach is difficult to imagine, given that the current number of active monthly users is estimated to be over 450 million.

Extorting $276 million from Elon Musk

At the time of writing, the alleged hacker had a post on Breached advertising the database for sale. It also includes an explicit call to action for Elon Musk to pay $276 million in order to stop the data being sold and facing a fine from the General Data Protection Regulation agency. If Musk pays the price, the hacker promises to destroy the data and not sell it to anyone else in order “to prevent a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things.”

The compromised data is said to have come from Twitter’s “Zero-Day Hack,” in which an application programming interface vulnerability from June 2021 was exploited before it was fixed in January of this year. The weakness allowed hackers to scrape sensitive information, which they subsequently collected into databases to sell on the dark web. Along with this alleged database, two others have already been uncovered, one with around 5.5 million users and another with up to 17 million users, according to a November 27 report from Bleeping Computer. Targeted phishing efforts via text and email, sim switch attacks to get access to accounts, and the doxing of private information are all risks of having such information released online. People are encouraged to take measures such as enabling two-factor authentication for their multiple accounts using an app rather than their phone number, updating their passwords and storing them securely, and using a private self-hosted crypto wallet.

Source: cointelegraph