The former Australian prime minister Scott Morrison appears to have been caught up in a leak of partial data on 400 million Twitter users, along with celebrities including the model Cara Delevingne, US politician Alexandria Ocasio-Cortez and pop singer Shawn Mendes.
Morrison’s Twitter account was included in a sample of data released by an alleged cybercriminal last week.
The cybersecurity firm that alerted the public to the apparent hacker’s claim said it was “likely not a coincidence” that media personality Piers Morgan, who also appeared in data samples published by the hacker, has just had his Twitter account hacked.
Most of Morgan’s Twitter account content had been wiped, but according to reports, it had sent out slurs and abusive messages directed at the late Queen and at UK singer Ed Sheeran.
Only Morrison’s official email address, which was already publicly accessible, was mentioned as being included in the hack, and his phone number was also not listed, which may limit any potential harm.
The hacker claimed the data had been “scraped” from Twitter via a “vulnerability” in the site, and “includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of OG and special usernames”.
The hacker offered data for sale “exclusively” to Twitter for US$200,000 (A$300,000) in order for the company to avoid paying EU General Data Protection Regulation (GDPR) fines.
The Guardian has decided not to name the site.
In August, Twitter admitted that a vulnerability in its API systems identified in January had allowed people to discover what, if any Twitter account was associated with a phone number or email address. By exploiting the vulnerability, people could patch together a data record of both public and private information – such as the private phone numbers and emails of high profile users.
The bug was caused by an update to Twitter’s code in June 2021. It was patched once identified, but in July 2022, Twitter learned “a bad actor had taken advantage of the issue before it was addressed”.
That came after someone attempted to sell the email addresses and phone numbers of 5.4 million users. Twitter said it would alert users confirmed to have been affected by the breach.
BREAKING: Hudson Rock discovered a credible threat actor is selling 400,000,000 Twitter users data.
— Hudson Rock (@RockHudsonRock) December 24, 2022
The private database contains devastating amounts of information including emails and phone numbers of high profile users such as AOC, Kevin O'Leary, Vitalik Buterin & more (1/2). pic.twitter.com/wQU5LLQeE1
Those details were released in November, with reports at the time it could be the tip of the iceberg and no one able to confirm for sure how many users had been caught up by people exploiting the flaw.
Israeli cyber-intelligence firm Hudson Rock appeared to be among the first to notice the posting offering the data of 400 million Twitter users, tweeting about the “credible threat” three days ago.
So far, no one has independently verified that the poster has access to what they claim.
Guardian Australia has contacted Morrison’s office for comment.