A hacker is offering data from some 400 million Twitter accounts for sale that is said to have been scraped via an application programming interface vulnerability.

The hacker goes by the name of Ryushi on BreachForums, the successor site to the now-shuttered RaidForums. The hacker claims that the data includes the email addresses and phone numbers of celebrities, politicians, companies and others.

On the listing, Ryushi lists email addresses for Donald Trump Jr., Alexandria Ocasio-Cortez, Neil DeGrasse Tyson, Piers Morgan, Stephen Curry and various others. The hacker also links to a .CSV file with the same information for an additional 1,000 Twitter users as further proof.

In a twist, the hacker also addresses both Twitter and Elon Musk, claiming that their best option is to purchase the data — which is then claimed to be 533 million users, to avoid the risk of a European Union General Data Protection Regulation fine. Ryushi then adds that if Musk or Twitter purchases the data, the data will not be sold to others “which will prevent a lot of celebrities and politicians from phishing, crypto scams, sim swapping, doxing and other things that will make your users lose trust in you as a company.

“From [sic] content creators this is a sensitive time, which will make things far worse and if you are unsure just run a poll on Twitter like usual and people will choose their fate because at the end of the day it’s the company’s fault that this data was breached,” the hacker added.

According to Bleeping Computer, the hacker collected the private phone numbers and email addresses using an API vulnerability that Twitter fixed in January 2022. The same API vulnerability is believed to have been used to steal data relating to 5.4 million Twitter users that first appeared in July and then were released for free in November.

Although the validity of the claimed 400 million plus or 533 million users — the hacker uses both numbers — is not confirmed, if any of it is legitimate, the stolen data will gain the attention of regulatory authorities.

Last week, Ireland’s Data Protection Commission announced that it had launched a probe into the previous 5.4 million stolen Twitter records.

Before the launch of the probe, the commission requested additional information from Twitter about its compliance with data privacy regulations. Having reviewed the information, the commission determined that the company may have infringed the EU GDPR and the Data Protection Act 2018, the U.K.’s implementation of GDPR.

Image: BreachForum