Enlarge image
Twitter owner and CEO Elon Musk: Irish data protection officers are already investigating
Photo: OLIVIER DOULIERY / AFP
In a hacker forum, someone is offering the data of allegedly 400 million Twitter users, including celebrities such as ex-US President Donald Trump and Apple co-founder Steve Wozniak.
In addition to names and user names, the data set should also contain non-public information such as telephone numbers and e-mail addresses.
In the forum, the provider writes under the alias "Ryushi" to "Twitter or Elon Musk" that the company is already risking a data protection fine for a data leak involving 5.4 million people, so you can imagine the penalty for 400 million leaked data records.
"Your best option to avoid a $276 million fine like Facebook has to pay (for 533 million user data scraped) is to buy that data exclusively," Ryushi wrote.
"Ryushi" alludes to the recent decision by the Irish data protection authority DPC to demand a fine of the equivalent of 276 million dollars from Facebook's parent company Meta after data from around half a billion Facebook users had been offered in a hacker forum.
Blackmailer demands $200,000 for exclusive acquisition
The sum now demanded by Twitter or Musk is not mentioned in the obvious attempt at blackmail.
In a chat with the provider, however, "Bleeping Computer" found out that he was asking for $200,000 and wanted to delete the data in return.
If no exclusive deal comes about, "Ryushi" wants to sell the package several times for $ 60,000 each.
There is no guarantee that the data would actually be deleted.
It's also unclear how many of the datasets are complete and up-to-date, and whether it really is 400 million.
It would be possible: according to Musk, Twitter only has a good 250 million daily active users, but there are still 1.5 billion inactive accounts.
According to the IT security company Hudson Rock, the published sample contains correct data.
But even if the company could buy the data from the market, that would not necessarily prevent an investigation by data protection authorities.
So Twitter has no reason to respond to the attempted blackmail.
Musk hasn't commented publicly either.
What »Ryushi« is right about: The DPC is already investigating a data leak on Twitter from last January, as the authority announced on Friday.
At that time it was about 5.4 million accounts and the associated Twitter IDs, telephone numbers and email addresses.
A vulnerability in Twitter's registration process had allowed attackers to read this data in bulk.
Twitter reported the vulnerability and closed it five days later.
But in the meantime, someone had gained access to millions of data sets, and in the summer they were offered for sale on the Internet.
"Ryushi" claims to have exploited the same vulnerability.
The DPC assumes that Twitter may have violated its obligations under the General Data Protection Regulation (GDPR) at the time, although the company duly reported the incident.
It is not yet clear how much the authority could impose a fine.
She has considerable discretion.
pbe
