A hacker claims to have stolen the private data of 400 million Twitter users via a bug in an API. The hacker sells the data on a forum after fixing the api bug.
The hacker, who calls himself Ryushi, has posted the data online on BreachForums. He or she claims that it concerns data from 400 million unique Twitter users. The data sets include the email addresses and phone numbers of those users, along with their username and other public information such as follower count. Ryushi shares a few examples of well-known users, including politicians, corporate executives, and influencers like Linus from Linus’ Tech Tips.
Ryushi says the data was scraped from an API. That API bug should have been fixed by now. The hacker says against Bleeping Computer that it was the same bug that previously leaked 5.4 million user data. This was possible via a bug in the Android client that allows the attacker to make a POST request to Twitter’s onboarding API. That vulnerability has since been closed, but there have already been several groups of hackers who have exploited the bug and stolen data. However, it has never been about as many users as it is now.
The hacker wants to sell the data through an intermediary on BreachForums. Ryushi says he or she wants $200,000 for the data. With such an exclusive sale, the data will be removed from the forum afterwards. Failing that, the hacker wants $60,000 per non-exclusive purchase. Ryushi says she has gone to Twitter to make a deal, but has not been heard.