Swirling in the turbulent blue vortex of check marks and near-daily tumult that is Elon Musk’s Twitter, another new and troubling story broke earlier this week. According to a massive discovery made by cybercrime intelligence agency Hudson Rock, the user data from more than 400 million Twitter accounts in December 2021 has been exposed, with said data now up for sale on the dark web.

The “credible threat actor” behind this worrying breach shared a sample of the stolen data to demonstrate its authenticity. Accounts’ usernames as well as real names, emails addresses, phone numbers and more were allegedly pulled, including data from high-profile users like government officials and agencies (e.g. Alexandria Ocasio-Cortez, NASA’s James Webb Space Telescope account, and the WHO) on top of musical celebrities, accounts of foreign authorities, the NBA and others.

According to Dataconomy, Hudson Rock suspects that the hacked information was accessed through an API vulnerability. This flaw, while purportedly fixed in January of this year, was evidently still accessed and abused.

On a hacker forum, the threat actor claimed this is a “sensitive time” before (in what seemed like a direct retort to Musk) said “… just run a poll like usual and people will choose their fate” (as Musk has often done in the past, regarding polling about politics, charged social discourse, and even the status of a new Twitter CEO if he were to step down).

It appears the hacker’s goal is to sell 2021 data back to Musk and Twitter as a whole; for them to buy the data exclusively in order to avoid paying larger GDPR breach fines.

Not only are many now-public identities under the microscope, but banking information and addresses can also often be found via access to phone numbers. (And with more exposed account info, potential phishing attempts and dangerous crypto scams can be enacted more easily, too.)

Right now, tips for lower-profile users include enabling 2FA (via an app, as opposed to a phone number) along with securely-stored passwords, and the use of private, self-hosted crypto wallets for any to which this applies.

This story will be monitored as it develops, with the hopes that Twitter is able to rectify the situation without seeing more data fall in harm’s way.