New problem to manage for Elon Musk? An announcement posted Dec. 23 on the most popular data-selling forum should catch his attention. A user, under the pseudonym Ryushi, claims to have data from 400 million Twitter accounts. It would be a mix of public data (usernames, account creation dates, etc.) and private data (email addresses and their phone numbers).
Without giving a price, the crook intends to sell the database to a single buyer, and he suggests in a threatening tone to Elon Musk to become the buyer in order to avoid trouble. At stake: the reputation of the social network, but also a potential fine from the European regulator. The billionaire owner of the social network, yet usually quick to respond to the slightest comment on his platform, has so far not commented on the subject, despite several attacks.
Compromised celebrity phone numbers
Alon Gal, founder of Hudson Rock and widely followed expert on the subject of data leaks, recalls on his LinkedIn account that “ at this time it is impossible to fully verify that there is indeed the data of 400 million users in the database, or even that the latter comes directly from Twitter. » Indeed, in this environment the crooks are numerous, because they only engage their word. Unlike legal trade, the buyer has no protection if he is cheated on the goods.
Often, cunning thugs compile already leaked data, to give volume to their offer. Similarly, just because the data appears to belong to Twitter does not necessarily mean that the company is at fault in the leak: it is not uncommon for subcontractors to leak their customers’ data following a cybersecurity incident. .
To convince the members of the forum of the veracity of his remarks, Ryushi therefore attached to his announcement a sample of 1,000 entries, a common practice in this environment. It includes data from celebrities such as singer Shawn Mendes and basketball player Stephen Curry, data from large organizations such as NASA, and data from political figures such as Republican Donald Trump Jr. and Democrat Alexandria Ocasio-Cortez.
Showing these known names allows the criminals both to draw attention to their advertisement and to raise the stakes. For good reason: the presence of information on rich and influential personalities increases the potential gains for hackers who exploit the database. But Ryushi already has a buyer in sight: Elon Musk, although the latter has still not responded to the proposal.
Blackmail to fine
” Twitter or Elon Musk, if you’re reading this. You already risk being fined for breaching the GDPR following the leak of 5.4 million pieces of data earlier this year. Imagine the amount of the fine for a leak that affects 400 million users, or 75 times more people “, he writes. In a threatening tone, the thug recalls that Facebook collected a fine of 265 million euros from the Irish data authority at the end of November for violation of the GDPR. One of the features of the social network had allowed thugs to suck up the data, and in particular the telephone numbers, of more than 533 million users in 2019. This data was again found in the wild in 2021, which which had sparked a new scandal.
Ryushi therefore offers the billionaire to buy the database himself to cover up the affair. If the businessman complies, the hacker promises to delete his post and never sell the database again. ” You will thus protect many celebrities and political figures “, he says before giving a long list of malicious acts of which they could be the target thanks to the data.
In concrete terms, the telephone numbers and emails in the database can be useful for sending phishing attempts: criminals would send personalized messages -since they would know the identity of the recipients- in an attempt to trick their victims in order to installing malware or stealing their credentials. In other words, the information contained in the database is not enough to steal accounts (Twitter, Instagram…) or money from the people concerned, but it gives a starting point to scammers.
To complete his pitch, Ryushi also blackmails his reputation. ” It is the fault of the company if this data leaked (…). Influencers will no longer trust you, which would be a shame given the current projects for Twitter “, he insists. Dropped by advertisers on Twitter and in great difficulty with Tesla shareholders, Elon Musk does not need another scandal. Even if he could blame the fault on the former administration.
A leak dated January
Indeed Ryushi claims to have recovered the data at the beginning of the year 2022, thanks to a vulnerability which has already been talked about. In July, another individual put a similar database up for sale, but with “only” 5.4 million accounts, for $30,000. Inside was mostly public data, but also a number of phone numbers and email addresses.
The data, dated December 2021, had been collected thanks to a flaw in the Twitter API – the tool that allows sites and other software to retrieve public data from the social network (for example, for advertising purposes, or to embed tweets). But an operating bug allowed hackers, by sending random phone numbers and email addresses to the API, to recover the associated Twitter ID. Thanks to this identifier (which takes the form of a sequence of numbers), the thugs could then retrieve all kinds of public information on the account, using the API. In other words, the API did not directly give private data, but allowed to discover them indirectly. The flaw had been reported to Twitter by an ethical hacker via Hacker One’s bug bounty program, and corrected immediately.
A month after the sale of the data, the social network had confirmed the existence of the fault and its link with the database. Eventually, the database of 5.4 million accounts was released for free in September by another individual, and then again in late November. The Bleeping Computer then revealed that several malicious actors had exploited the flaw to steal private information, and Ryushi would likely be one of them. According to Alon Gal, only 50 of the 1,000 entries in the sample were in the database of 5.4 million records. What to crack a buyer?