Cyber Incident Victim: Twitter
Date:
Jan 2021
Location:
United States of America
Summary
A threat actor using the alias 'Ryushi' advertised the sale of scraped data allegedly belonging to over 400 million Twitter users, obtained via a previously patched API vulnerability that linked private phone numbers and email addresses to public profile information. The hacker demanded $200,000 for exclusive access to the dataset, threatening public release and potential GDPR fines otherwise, citing a prior penalty against another platform. Samples of the data, including profiles of celebrities and politicians, were leaked for validation, with independent analysts confirming their legitimacy though the full scale remains unverified. The exploited vulnerability had been associated with an earlier breach impacting millions of users and was under investigation by EU privacy regulators. The incident highlighted risks of phishing, scams, and business email compromise leveraging the exposed private contact details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2022, a threat actor using the alias 'Ryushi' advertised a dataset purportedly containing public and private information of over 400 million Twitter users on the Breached hacking forum. The actor claimed the data was collected in 2021 by exploiting an API vulnerability that Twitter had patched in January 2022. This vulnerability allowed attackers to submit phone numbers or email addresses to a Twitter API endpoint, which returned associated user IDs. These IDs were then linked to public profile data through another API, compiling comprehensive user profiles containing both public details (usernames, follower counts, account creation dates) and private information (email addresses and phone numbers). Ryushi demanded $200,000 for an exclusive sale of the dataset, threatening to sell copies to multiple buyers for $60,000 each if Twitter or Elon Musk did not purchase it. The actor explicitly referenced Twitter’s potential liability under GDPR regulations, citing Facebook’s $276 million fine for a similar 533 million-user scraping incident as a warning.
The forum post included samples of 37 high-profile accounts—such as politicians, journalists, and celebrities—and later leaked 1,000 additional profiles. BleepingComputer confirmed two profiles as valid, while threat intelligence firm Hudson Rock stated the samples appeared legitimate but could not verify the full 400 million-user claim. Ryushi disclosed to BleepingComputer that they used the same vulnerability linked to an earlier breach of 5.4 million Twitter users, corroborating details with the seller of that dataset. Twitter had not responded to the actor’s attempts at contact. The incident coincided with an ongoing investigation by Ireland’s Data Protection Commission into the earlier 5.4 million-user breach, which also stemmed from the patched API flaw. A separate threat actor claimed to possess data on 17 million users scraped via the same vulnerability, though this dataset remained private and unsold at the time of reporting.