a person is trying to blackmail Elon Musk with a massive data leak

A new challenge for Elon Musk to manage? An ad posted on December 23rd on the most popular information selling forum should catch his attention. A user under the pseudonym Ryushi claims to have data from 400 million Twitter accounts. This would be a mix of public information (usernames, account creation dates, etc.) and personal information (email addresses and their phone numbers).

The scammer intends to sell the database to a single buyer without asking for a price, and he threatens Elon Musk to be the buyer to avoid trouble. At stake: the social network’s reputation, but also a potential fine from a European regulator. The billionaire owner of the social network, however, usually quick to respond to the slightest comment on his platform, has so far not commented on the topic despite several attacks.

Phone numbers of celebrities have been stolen

Alon Gal, founder of Hudson Rock and a widely followed expert on data breaches, recalls on his LinkedIn account that “ At the moment, the database actually has the data of 400 million users, even the last one directly Twitter. » Indeed, there are many fraudsters in this environment because they only deal with words. Unlike legitimate trade, the buyer has no protection if he is cheated on the goods.

Oftentimes, crafty hackers build on already leaked data to add volume to their proposition. Likewise, just because the data belongs to Twitter doesn’t necessarily mean the company is to blame for the leak: it’s not uncommon for subcontractors to leak their customers’ data after a cybersecurity incident.

To convince forum members that his words were true, Ryushi included a sample of 1,000 entries in his announcement, a common practice in this environment. This includes information from celebrities such as singer Shawn Mendes and basketball player Stephen Curry, information from major organizations such as NASA, and Republican Donald Trump Jr. and includes information from political figures such as Democrat Alexandria Ocasio-Cortez.

Displaying these well-known names allows criminals to both attract attention to their ads and increase their prices. For good reason: having information about rich and influential figures increases the potential profits for hackers using the database. But Ryushi already has a buyer: Elon Musk, although the latter has not yet responded to the offer.

Blackmail to the good

Twitter or Elon Musk if you’re reading this. You’re already at risk of being fined for breaching the GDPR after 5.4 million pieces of data were leaked earlier this year. Imagine the fine for a breach affecting 400 million users, or 75 times as many people “, he writes. In a threatening tone, Baskasan reminds that Facebook collected a fine of 265 million euros from the Irish data authority at the end of November for violating the GDPR. One of the features of the social network allowed hackers to steal the data of more than 533 million users in 2019, especially phone numbers scandal.

Ryushi therefore suggests that the billionaire buy the database himself to cover up the matter. If the businessman complies, the hacker promises to delete his post and never sell the database again. ” So you will protect many celebrities and political figures “, he says, before giving a long list of malicious actions that can be targeted thanks to the data.

Specifically, the phone numbers and emails in the database could be useful for sending phishing attempts: criminals would send personalized messages to trick their victims into installing malware or committing theft – knowing the identity of the recipients. their credentials. In other words, the information in the database is not enough to steal the accounts (Twitter, Instagram…) or money of the people concerned, but it gives the fraudsters a starting point.

To complete his pitch, Ryushi also blackmails his reputation. ” The leak of this data (…) is the fault of the company. Influencers will no longer trust you, which would be a shame given the current projects for Twitter “he insists. Elon Musk, who has been dumped by advertisers on Twitter and is in big trouble with Tesla shareholders, doesn’t need another scandal. Even if he can blame it on the former management.

A leak from January

Indeed, Ryushi claims to have recovered data in early 2022 thanks to a vulnerability already discussed. In July, another person put a similar database up for sale, but with “only” 5.4 million accounts for $30,000. Inside was mostly public information, but also a number of phone numbers and email addresses.

The data from December 2021 was collected thanks to a flaw in the Twitter API – a tool that allows websites and other software to access public data from the social network (for example, for advertising purposes or to post tweets). But a bug allowed hackers to recover the Twitter ID associated with sending random phone numbers and email addresses to the API. Thanks to this identifier (which takes the form of a sequence of numbers), hackers were able to access all kinds of public information on the account using the API. In other words, the API did not directly provide personal information, but indirectly allowed discovery. The flaw was reported to Twitter by an ethical hacker through Hacker One’s bug bounty program and was immediately fixed.

A month after the sale of the data, the social network confirmed the existence of the error and its connection to the database. Finally, the database of 5.4 million accounts was released for free by another person in September, and then again in late November. Bleeping Computer later discovered that several malicious actors used this flaw to steal personal information, and Ryushi would be one of them. According to Alon Gal, only 50 of the 1,000 entries in the sample were in a database of 5.4 million records. What does it take to break a buyer?