The IT Nerd

You might recall that Twitter appears to have been pwned. And pwned big. When I posted this story, I had said that “millions” of Twitter users might be affected. The number is actually 400 million users:

They have already warned Elon Musk’s Twitter as “they should purchase the data before it leads to a large fine under Europe’s GDPR privacy law.”

“Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source,” wrote Ryushi in a forum post. “Your best option to avoid paying $276 million USD in GDPR breach fines like Facebook did (due to 533m users being scraped) is to buy this data exclusively.” 

In the post, the hacker explains how this data can be used for phishing attacks and other scams. Ryushi says they were able to collect public and private Twitter data, such as users’ email addresses, names, usernames, follower count, creation date, and phone numbers. While most of this data can be found online, phone numbers and email addresses are private information.

Ryushy acquired data from 37 celebrities, including Alexandria Ocasio-Cortez, Donald Trump JR, Mark Cuba, Kevin O’Leary, and Piers Morgan, Bleeping Computer reports. The hacker told the publication that they are “attempting to sell the Twitter data exclusively to a single person/Twitter for $200,000 and will then delete the data. If an exclusive purchase is not made, they will sell copies to multiple people for $60,000 per sale.”

The hacker highlighted why this is very bad news for Elon. The GDPR. He’s running the risk of having to cut a check for hundreds of millions of dollars because of this. And buying the data won’t make that risk go away methinks. In fact, as I said in the original post that I made about this, an investigation is already underway.

John Gunn, CEO of Token chimes in with this:

The claims of the hackers are baseless as far as possible fines are concerned as GDPR does not mandate that companies never get hacked, and equally important, claiming you were a victim of hackers and paying a ransom does not alleviate any company from their responsibilities and potential penalties under GDPR or any other EU regulation.

Thus Elon is in deep trouble on the EU front. But his problems don’t end there. Twitter is under a consent decree with the Federal Trade commission. And that consent decree says that Twitter will do the following:

• prohibit Twitter from profiting from deceptively collected data;
• allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
• notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
• implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
• limit employee access to users’ personal data; and
• notify the FTC if the company experiences a data breach.

As far as I can tell, Elon and company haven’t even admitted that this breach exists despite it being the worst kept secret in cybersecurity right now. Thus if Elon and company truly haven’t told the FTC about this, they’ve violated the last part of that consent decree. Which means that he’s just asking to get slapped silly by the FTC. In fact, I would not be surprised if the FTC is already dotting its “I”‘s and crossing its “T”‘s in preparation of dropping a bomb or two on Twitter.

I suspect that life is about to get very, very difficult for Elon in the next few days. You might want to pop some popcorn as it will be interesting and fun to watch. Unless you’re Elon Musk.

This entry was posted on December 27, 2022 at 4:23 pm and is filed under Commentary with tags Twitter. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.