The user with "Devil" published in a forum an announcement to sell personal data to 548563 Twitter users for $30,000. The intruder reports that the data was obtained through the vulnerability of the social network, and the array includes e-mail addresses, telephones and accounts of a wide range of people, including celebrities.
Hacker told journalists that the data had been collected as early as December last year. RestorePrivacy reports that the information came from the vulnerability of the Android Twitter application. It allowed the intruders to obtain a telephone number and an e-mail address related to the social media account, even if the user had hidden these fields in confidentiality settings.
A report on this vulnerability was published by a safety expert on HackerOne in early January. Twitter acknowledged the problem, paid the user a reward and corrected the error on 13 January.
Twitter hasn't confirmed the data leak yet. BleepingComputer has been told that they are investigating the authenticity of the allegations and will do anything to ensure the security of the records. Journalists have checked and confirmed the data of a small number of hacker users, but it is not known whether all 5.4 million records are valid.
Although most of the data sold are publicly available, the perpetrators may use e-mail addresses and telephone numbers in targeted phishing attacks.