Cybercriminals are selling the public and private data of 400 million Twitter users on a hackers forum. They are asking 188,000 euros ($200,000).

According to the security news website, cybercriminals, under the name Ryushi, have put the Twitter data up for sale on the hacking forum Breached. The data was “scraped” from the social platform in 2021 by exploiting a then-existing vulnerability. This vulnerability was fixed early this year. Nonetheless, the vulnerability was reportedly exploited several times.

The vulnerability allowed hackers to enter long lists of phone numbers and e-mail addresses into a Twitter API. They then received a corresponding Twitter user ID in return. The cybercriminals then used this ID with other information to surface users’ public profile data. In this way, they built a Twitter user profile containing both public and private data.

Pressure on Elon Musk

The cybercriminals now want to sell the stolen public and private data for $200,000. In their post, they mainly call on Twitter owner Elon Musk and Twitter itself to respond. Otherwise, Twitter can most likely expect heavy fines from regulators if this data actually leaks out.

In addition, the hackers also provide a link to a post describing how other cybercriminals can misuse the data in phishing campaigns, crypto scams and BEC attacks.

Other data breaches

This latest data breach comes at an unfavorable time for Twitter. In addition to all the turmoil the social network is currently going through, the Irish Data Protection Commission (DPC), Ireland’s privacy regulator, recently launched an investigation into an earlier Twitter data breach. This involved the publication of data of 5.4 million users which was stolen in 2021. The Twitter vulnerability was also used for this breach.

In addition, another cybercriminal claims to have stolen the data of 17 million end users via the vulnerability. As yet, this data has not been made public or put up for sale.

Tip: Irish privacy watchdog investigates Twitter after massive data breach