Twitter Faces Probe After Data On 400m Users Offered For Sale

Twitter and other social media apps on a screen

Ireland data commission to investigate after hacker offers information from 400 million Twitter accounts for sale

Ireland’s data protection office is to investigate an apparent security breach at Twitter after a hacker claimed to offer personal details from 400 million accounts for sale online.

The hacker, using the handle “Ryushi”, offered a sample of details from about 1,000 accounts on  23 December, the same day that Ireland’s Data Protection Commission (DPC) said it would investigate an earlier Twitter breach that affected about 5.4 million accounts.

Both incidents appear to have used the same data-scraping vulnerability, which Twitter said it fixed in January 2022.

Ryushi asked for $200,000 (£166,000) to hand over the data and delete it.

HSBC, security, hacking, twitterData breach

The person suggested that it would be in Twitter’s best interests to buy the data itself “exclusively” in order to avoid a large data-protection fine.

The post referred to a 265m euro (£234m) fine the Ireland DPC levied on Facebook parent Meta in November over a data breach affecting about 533 million users.

Ireland’s DPC said it “will examine Twitter’s compliance with data-protection law in relation to that security issue”.

Twitter, which has no press office after it was cut by owner Elon Musk, has not commented on the latest supposed breach.

Celebrity accounts

The small sample of data released so far has included information from the accounts of US politician Alexandria Ocasio-Cortez and broadcaster Piers Morgan.

Computer security firm Hudson Rock, which first brought the latest breach to wider attention, said the hacker’s claim appears credible.

Hudson Rock chief technology officer Alon Gal told the BBC only 60 of the emails in the sampled data appeared in the data from the earlier incident, indicating that “this breach is different and significantly bigger”.

Gal noted that the hacker offered to use an escrow service to sell the data, which would release the funds only if certain conditions are met, another indication in favour of the breach being genuine.