'Credible threat': 400 million Twitter users' private data allegedly at risk

In a "small sample," the hackers shared partial personal information of famous people, including TV personality Piers Morgan.
Baba Tamim
Twitter logo
Twitter logo

NurPhoto/Getty Images 

A private Israeli cybercrime company has warned of the "credible threat" of online criminals allegedly attempting to sell the privacy information of 400 million Twitter users, including well-known figures from around the world.

Model Cara Delevingne, American politician Alexandria Ocasio-Cortez, pop musician Shawn Mendes, and former Australian prime minister Scott Morrison are among the celebrities whose private information may have been exposed, according to the private intelligence firm Hudson Rock.

"Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data," the firm tweeted on Saturday. 

"The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O'Leary, Vitalik Buterin & more."

The unconfirmed breach claimed to have shared partial credentials of the personalities in a "small sample" that Interesting Engineering chose not to share. 

"Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach," wrote the alleged hacker.

"I will advice you, Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did … is to buy this data exclusively."

The alleged hacker claimed the data was "completely private" and what was shared "doesn't represent even 1% of data" of verified Twitter users. 

Piers Morgan's Twitter hack is no coincidence

It was "likely not a coincidence," according to the cybersecurity company, that media star Piers Morgan, who also appeared in data samples made public by the hacker, had his Twitter account compromised.

Most Popular

The majority of Morgan's Twitter content was deleted, and it was used to send out insults and abusive messages addressed to the late British Queen and the artist Ed Sheeran.

This happened after the U.K.'s education secretary, Gillian Keegan, appeared to have her account hacked on Christmas Day. With links to websites promoting cryptocurrencies like bitcoin, her account responded to multiple tweets.

Morrison's phone number was not listed, and the only reference of the attack involved his official email address, which is available to the public. This may have limited the damage that could have been done.

The bug 

Twitter acknowledged in August that a flaw in its API systems discovered in January 2022 had made it possible for users to determine which, if any, Twitter accounts were linked to a phone number or email address. 

This could allow "people to patch together a data record of both public and private information," such as the private phone numbers and emails of prominent users, by exploiting the vulnerability, The Guardian reported on Wednesday. 

In June 2021, Twitter's code underwent an update that led to the problem. After being discovered, it was fixed, however, Twitter discovered in July 2022 that "a bad actor had taken advantage of the issue before it was addressed."

That followed an attempt to sell 5.4 million consumers' email addresses and phone numbers. Twitter promised to notify individuals who have been directly impacted by the breach.

The cybercriminals' alleged access to what they claim to have has not yet been independently verified by anyone.

"Please Note: At this stage, it is not possible to fully verify that there are indeed 400,000,000 users in the database." the cyber firm wrote in the thread of tweets.