Twitter in data-protection probe after '400 million' user details up for sale – BBC

A watchdog is to investigate Twitter after a hacker claimed to have private details linked to more than 400 million accounts.
The hacker, "Ryushi", is demanding $200,000 (£166,000) to hand over the data – reported to include that of some celebrities – and delete it.
Ireland's Data Protection Commission (DPC) says it "will examine Twitter's compliance with data-protection law in relation to that security issue".
Twitter has not commented on the claim.
The data is said to include phone numbers and emails, including those belonging to celebrities and politicians, but the purported size of the haul is not confirmed. Only a small "sample" has so far been made public.
The Guardian reported that data of US Congresswoman Alexandria Ocasio-Cortez was included in the sample of data published by the hacker. The data of broadcaster Piers Morgan, who recently had his Twitter account hacked, is also reported to be included.
Twitter has so far not responded to press inquiries about the claimed breach.
Chief executive Elon Musk did not reply to a tweeted request for comment from leading cyber-security reporter Brian Krebs – though the breach, as Mr Krebs notes, probably occurred before the Tesla boss took over.
Hey @elonmusk, since you don't seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn't happen on your watch, but you owe Twitter a reply.
Cyber-crime intelligence company Hudson Rock says it was the first to raise the alarm about the data sale.
While acknowledging the amount of data taken had not been verified, the firm's chief technology officer, Alon Gal, told the BBC a number of clues appeared to support the hacker's claim.
The data did not appear to have been copied from an earlier breach in which details were published from 5.4 million Twitter accounts, Mr Gal said.
Only 60 emails out of the sample of 1,000 provided by the hacker in the earlier incident appeared, "so we are confident that this breach is different and significantly bigger", he said.
Also, Mr Gal noted: "The hacker aims to sell the database through an escrow service that is offered on a cyber-crime forum. Typically this is only done for real offerings."
An escrow service is a third party that agrees to release funds only when certain conditions (such as handing over data) are met.
"Ryushi" has said that it exploited a problem with a system that lets computer programmes connect with Twitter to compile the data.
Twitter fixed the weakness in the system in 2022. But the flaw is also believed to have been used in the earlier breach affecting more than five million accounts.
The DPC announced it was investigating that earlier breach on 23 December.
As Twitter's European headquarters are based in Dublin, the commission is the lead authority supervising its compliance with EU data-protection rules.
In a statement sent to the BBC about the latest incident, the DPC noted its continuing investigation into the earlier Twitter breach but added: "Reports have claimed that some additional datasets have now been offered for sale on the dark web.
"The DPC has engaged with Twitter in this inquiry and will examine Twitter's compliance with data-protection law in relation to that security issue."
The hacker is aware of how damaging the loss of data can be for platforms.
In the online post offering to sell the data, it warns Twitter that its best chance of avoiding a large data-protection fine is to buy back the data "exclusively".
In November, Meta was hit with a 265m-euro ($276m) fine by the DPC after data scraped from more than 533 million Facebook users was leaked online.
The UK Information Commissioner's Office (ICO) told the BBC that it was aware of "media reports" regarding Twitter user's personal information being made available on the internet.
"We are engaged in dialogue with Twitter's data protection officer and will be making enquiries on this matter," it said.
It added that it would co-operate with the Data Protection Commission of Ireland.
Twitter whistleblower raises security concerns
Meta fined €265m over data protection breaches
Baby among six killed in possible cartel hit in US
Italian held in EU bribery probe agrees to tell all
Maximum two drinks a week, Canada guidance advises
Sense of injustice lingers after Seoul Halloween crush
Chess gets a risqué makeover. Video
The Nigerian influencers paid to manipulate your vote
How a baffling census delay is hurting Indians
How Mafia boss was caught at a clinic after 30 years
Nepal air crash: Who were the victims?
Brazil's unsung 'capital of happiness'
The giant donkeys of ancient Rome
'We need Western tanks – my tank's as old as me'
Britain's lost and legendary 'Area 51'
The axed workers posting epic goodbyes
The skiers dedicated to alpine warfare
© 2023 BBC. The BBC is not responsible for the content of external sites. Read about our approach to external linking.


Leave a Comment

Your email address will not be published.