Twitter in data-protection probe after '400 million' user details up for sale
A watchdog is to investigate Twitter after a hacker claimed to have private details linked to more than 400 million accounts.
The hacker, "Ryushi", is demanding $200,000 (£166,000) to hand over the data - reported to include that of some celebrities - and delete it.
Ireland's Data Protection Commission (DPC) says it "will examine Twitter's compliance with data-protection law in relation to that security issue".
Twitter has not commented on the claim.
The data is said to include phone numbers and emails, including those belonging to celebrities and politicians, but the purported size of the haul is not confirmed. Only a small "sample" has so far been made public.
The Guardian reported that data of US Congresswoman Alexandria Ocasio-Cortez was included in the sample of data published by the hacker. The data of broadcaster Piers Morgan, who recently had his Twitter account hacked, is also reported to be included.
Twitter has so far not responded to press inquiries about the claimed breach.
Chief executive Elon Musk did not reply to a tweeted request for comment from leading cyber-security reporter Brian Krebs - though the breach, as Mr Krebs notes, probably occurred before the Tesla boss took over.
Hey @elonmusk, since you don't seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn't happen on your watch, but you owe Twitter a reply.
— briankrebs (@briankrebs) December 27, 2022
Cyber-crime intelligence company Hudson Rock says it was the first to raise the alarm about the data sale.
While acknowledging the amount of data taken had not been verified, the firm's chief technology officer, Alon Gal, told the BBC a number of clues appeared to support the hacker's claim.
The data did not appear to have been copied from an earlier breach in which details were published from 5.4 million Twitter accounts, Mr Gal said.
Only 60 emails out of the sample of 1,000 provided by the hacker in the earlier incident appeared, "so we are confident that this breach is different and significantly bigger", he said.
Also, Mr Gal noted: "The hacker aims to sell the database through an escrow service that is offered on a cyber-crime forum. Typically this is only done for real offerings."
An escrow service is a third party that agrees to release funds only when certain conditions (such as handing over data) are met.
Multimillion-dollar question
"Ryushi" has said that it exploited a problem with a system that lets computer programmes connect with Twitter to compile the data.
Twitter fixed the weakness in the system in 2022. But the flaw is also believed to have been used in the earlier breach affecting more than five million accounts.
The DPC announced it was investigating that earlier breach on 23 December.
As Twitter's European headquarters are based in Dublin, the commission is the lead authority supervising its compliance with EU data-protection rules.
In a statement sent to the BBC about the latest incident, the DPC noted its continuing investigation into the earlier Twitter breach but added: "Reports have claimed that some additional datasets have now been offered for sale on the dark web.
"The DPC has engaged with Twitter in this inquiry and will examine Twitter's compliance with data-protection law in relation to that security issue."
The hacker is aware of how damaging the loss of data can be for platforms.
In the online post offering to sell the data, it warns Twitter that its best chance of avoiding a large data-protection fine is to buy back the data "exclusively".
In November, Meta was hit with a 265m-euro ($276m) fine by the DPC after data scraped from more than 533 million Facebook users was leaked online.
The UK Information Commissioner's Office (ICO) told the BBC that it was aware of "media reports" regarding Twitter user's personal information being made available on the internet.
"We are engaged in dialogue with Twitter's data protection officer and will be making enquiries on this matter," it said.
It added that it would co-operate with the Data Protection Commission of Ireland.