Twitter will be investigated by Ireland’s data protection regulator after a hacker claimed to hold personal information of more than “400 million” accounts and offered to sell it online.
Twitter is already facing an inquiry into a data breach that took place in November. The incident involved leaks concerning personal information of more than 5.4 million users. The investigation is being led by the Data Protection Commission (DPC).
“Reports have claimed that some additional datasets have now been offered for sale on the dark web,” the regulator said, referring to the latest breach. “The DPC has engaged with Twitter in this inquiry and will examine Twitter’s compliance with data-protection law in relation to that security issue.”
The claims came from a hacker named “Riyushi”, who demanded $200,000 in exchange for personal details linked to over 400 million Twitter accounts. According to reports, the datasets were put up for sale on a hacker forum and contain user names, phone numbers, account creation dates, and followers counts. The offer was made exclusively to Twitter so that the company could avoid large fines by regulators for failure to ensure user data protection.
The hacker behind the massive breach also published personal data of more than 1,000 users, which include celebrities, politicians, and other prominent figures. Former Australian prime minister Scott Morrison, celebrities such as Cara Delevingne and Shawn Mendes, US politician Alexandria Ocasio-Cortez, and British TV host Piers Morgan are said to have been entangled in the leaks. The data was allegedly stolen by exploiting a “vulnerability” in the site.
There has been no comment on the reported leaks from Twitter so far. The platform’s new owner, Elon Musk, has not responded to the cybersecurity incident either.
Hey @elonmusk, since you don't seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn't happen on your watch, but you owe Twitter a reply.
— briankrebs (@briankrebs) December 27, 2022
The claimed number of affected users, however, has not been confirmed.
