The personal data of more than 400 million Twitter accounts is said to be for sale on the web after an alleged data breach of the popular microblogging service. But what exactly is being sold, and how can you protect yourself?
What happened during the alleged Twitter data breach in December 2022?
On December 23, 2022, a user of a popular data breach forum announced that he was selling the private data of 400 million users recovered through a vulnerability in Twitter’s API.
While the user directly offered the data for sale, he also made an offer to Twitter CEO Elon Musk, promising exclusivity and the ability to avoid millions of dollars in fines from hacking agencies. data protection and regulators, as reported by The Register:
Twitter or Elon Musk, if you’re reading this, you’re already at risk of GDPR fines of more than 5.4 million violations, which mimics the fine of 400 million user violations.
I would advise, your best option to avoid paying $276m in fines for GDPR violations like facebook did (due to 533m users scrapped) is to buy that data exclusivity, which can go through the official owner here @.[redacted] or admin@[redacted] after that i will delete this thread and not sell this data anymore.
MUO found a limited sample of this data, and while we can’t verify its authenticity, it appears to show the user’s email address, name, username, account creation date, and number of followers. About half of the accounts listed also contain phone numbers.
Twitter currently has no communications staff that can be reached for comment.
As the suspected hacker mentioned, Twitter is already facing legal issues, and the Irish Data Protection Commission recently opened an investigation into a data breach from August 2022 that affected 5.4 million users. Twitter users, according to TechGenix.
What can criminals do with information from Twitter flaws?
Having your personal information sold by criminals is a bad thing, especially if the people willing to spend money to buy it are also criminals expecting a return on their investment.
Email addresses can be used to facilitate social engineering and spearphishing attacks against you or your contacts. These attacks can be particularly effective when combined with the large amount of personal information you share on your Twitter account. Phone numbers are often used as part of a two-factor authentication (2FA) system for PayPal and banking services. Cybercriminals who know your phone number can use this to carry out a SIM card swapping attack, giving them access to your phone number and thus your financial accounts.
While there is no confirmation that the information will be released to private consumers, or even that it is authentic, it could be used by criminals to target you. If you use your email address for any other accounts, you must change it immediately on those accounts. Also, you must separate the phone number used for your Twitter account from any other account.
Going forward, you should use an email alias for any account you sign up for and, if possible, use a second phone number. Text or phone-based 2FA systems have long been considered insecure and you should opt for app-based 2FA systems instead.
Twitter is not the only microblogging platform
2022 has not been the best year for Twitter. Along with the latest alleged security breach, the company also lost nearly half of its staff, including the entire communications department. If you’re concerned about Twitter’s security and potential future longevity, consider using a different platform.