Among those purportedly for sale are Ethereum co-founder Vitalik Buterin’s private contact information, as well as that of shark tank host Kevin O’Leary and Mark Cuban.
The data of 400 million Twitter users, including private emails and phone numbers, is said to be for sale on the black market.
On December 24, cybercrime intelligence firm Hudson Rock raised a “credible threat” via Twitter, claiming that someone is selling a private database containing contact information for 400 million Twitter user accounts.
“In the post, the threat actor claims the data was obtained in early 2022 due to a vulnerability in Twitter, as well as attempting to extort Elon Musk to buy the data or face GDPR lawsuits,” Hudson Rock stated.
While Hudson Rock has not been able to fully verify the hacker’s claims due to the large number of accounts, it has stated that a “independent verification of the data itself appears to be legitimate.”
DeFiYield, a Web3 security firm, also examined 1,000 accounts provided by the hacker as a sample and confirmed that the data is “real.” It also contacted the hacker via Telegram, noting that they are actively looking for a buyer there.
If confirmed, the breach could be a major source of concern for crypto Twitter users, particularly those who use a pseudonym.
However, some users have stated that such a large-scale breach is difficult to believe, given that the current number of active monthly users is estimated to be around 450 million.
At the time of writing, the alleged hacker had a post on Breached advertising the database for sale. It also includes a specific call to action for Elon Musk to pay $276 million in order to avoid the data being sold and facing a fine from the General Data Protection Regulation agency.
If Musk pays the fee, the hacker promises to delete the data and not sell it to anyone else in order “to prevent a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things.”
The compromised data is thought to have come from a “Zero-Day Hack” on Twitter, in which an application programming interface vulnerability from June 2021 was exploited before it was patched in January of this year. The bug allowed hackers to scrape private information, which they then compiled into databases to sell on the dark web.
