A threat actor going by the name “devil” wrote a post on July 21 stating that they had collected the data of 5.4M users, including “celebrities, to companies, randoms, OGs, etc..” before providing examples.
According to BleepingComputer, devil told them in an interview that “interested buyers have already approached them.”
The vulnerability used to collect the data was revealed by a user on the website Hackerone, who submitted a report to Twitter. The vulnerability “allows any party, without any authentication to obtain a twitter ID of any user by submitting a phone number/email even though the user has prohibitted (sic) this action in the privacy settings,” according to the reporter.
What this means is that if you have a phone number or e-mail, you can look up if any Twitter users are associated with them, even if the profile had this option turned off.
Within two weeks, Twitter fixed the vulnerability. In an interview with BleepingComputer, devil stated that they were not the HackerOne user who initially reported the vulnerability.
Twitter is currently investigating, but BleepingComputer did confirm on their website that the data was legitimate.