Back in Jan, 2022, Twitter received a report from its Bug bounty program about a potential vulnerability. This is exactly what was exploited recently, and pertains to accounts where people had submitted an email address or phone number to Twitter’s systems. Twitter was able to quickly patch it up then, but didn’t have any knowledge of misuse in the wild. They were first notified of the leak last month, and after reviewing the data, Twitter has now confirmed the leak officially. RestorePrivacy was also able to talk to the hacker in question, and he explained that the data was collected in December 2021, which is before the vulnerability was patched. The hacker is also looking to sell the entire leaked database of 5.4 million users for $30,000. The contents though, is very random, and includes everything from celebrities, companies, individuals, random accounts and more. Twitter will directly inform the users affected by the vulnerability, although they don’t have a confirmation on the actual accounts in the database yet. While this isn’t an overtly personal leak, like with passwords, this can still affect people by way of phishing or more sophisticated attacks. – HackerOne Report on the Vulnerability You can read more about the exact nature of the vulnerability here.