After a hacker claimed to have private information related to more than 400 million users on Twitter, a watchdog organisation has decided to probe the company.
“Ryushi,” the hacker, is asking for $200,000 (about £166,000) in exchange for handing over the material, which is said to contain the personal information of certain celebrities, and deleting it.
“Will evaluate Twitter’s compliance with data-protection legislation in regard to that security vulnerability,” as stated by Ireland’s Data Protection Commission (DPC).
Twitter has not issued a statement in response to the accusations.
It is speculated that the data includes telephone numbers and email addresses, some of which belong to public figures such as celebrities and politicians; nevertheless, the extent of the alleged haul cannot be verified. To this point, the public has only seen a “sample” of a very tiny portion.
The data of US Congresswoman Alexandria Ocasio-Cortez was reportedly included in the sample of data that was disclosed by the hacker. This information was revealed by The Guardian. According to reports, the information of broadcaster Piers Morgan, whose Twitter account was stolen not too long ago, is also included in the leak.
Concerning the alleged security vulnerability, Twitter has not provided a response to questions from the press as of yet.
Chief executive Elon Musk did not respond to a tweeted request for comment from prominent cyber-security writer Brian Krebs; nevertheless, Mr. Krebs observes that the hack presumably happened before the Tesla boss took control. Elon Musk did not respond to the tweet.
According to the cyber-crime intelligence organisation Hudson Rock, it was the company that first sounded the alarm about the data sale.
Alon Gal, the chief technical officer of the company, told the BBC that a number of indicators seemed to confirm the hacker’s allegation. However, he did acknowledge that the quantity of data that was stolen had not been validated.
Mr. Gal said that it did not look as if the data had been taken from a previous hack in which information were disclosed from 5.4 million Twitter accounts.
In the last instance, the hacker offered a sample of 1,000 emails, but only 60 of those emails were found to have been compromised. “So we are certain that this breach is distinct and substantially greater,” he added.
Furthermore, Mr. Gal pointed out: “The hacker’s goal is to make a profit off of the sale of the information by using an escrow service that is advertised on a forum dedicated to cybercrime. Generally speaking, this is only done for genuine gifts.”
A third party that agrees to release cash only when specified criteria have been satisfied is known as an escrow service.
- The million-dollar question
“Ryushi” claims that it gathered the information by taking advantage of a flaw in a mechanism that allows computer programmes to communicate with Twitter.
In 2022, Twitter patched the system’s flaw. However, the vulnerability was likely used in the prior hack that compromised over five million accounts.
On December 23rd, DPC indicated that it was looking into the prior incident.
Given that Twitter’s European headquarters are located in Dublin, it is the commission’s responsibility to ensure that Twitter complies with EU data protection legislation.
The hacker understands the severity of the consequences of data loss for the targeted service.
In the web post proposing to sell the data, it tells Twitter that buying back the data “exclusively” is its best chance of avoiding a significant data-protection fee.
Meta was fined 265 million euros ($276 million) in November by the DPC for the breach of data from more than 533 million Facebook users.