An unknown hacker or hacker group has put a database online containing the email addresses and phone numbers associated with 5.4 million Twitter accounts. The attacker was able to retrieve the data through a bug that has since been fixed.
The database is provided on Breach Forums and was discovered by Restore Privacy. The attackers want “at least $30,000” for the database. The database contains no passwords, but does contain the email addresses or phone numbers or both of a total of 5,485,636 Twitter users. The attacker says the data breach contains accounts of celebrities and companies. Restore Privacy was able to determine that the leak is authentic, but not whether the claim that famous names were in it.
The attacker accessed the vulnerability through a known vulnerability that has since been fixed. The vulnerability was presented on January 1st on bug bounty platform HackerOne by a security researcher. It was a bug in the Android client that required an attacker to make a POST request to Twitter’s onboarding API. The security researcher describes the issue in detail on HackerOne. Twitter picked up the vulnerability and fixed it on January 13. Details were published on February 11, and the researcher was awarded a $5040 reward. It is not known how the attacker who now offers the database obtained the information to carry out the hack.