Account information for 5.4 million people leaked from Twitter and hackers sold for 4 million yen

Twitter has revealed that the code updated in June 2021 had a vulnerability that could obtain the account's phone number and email address. According to Bleeping Computer, a news site that reported the situation before Twitter's announcement, the leaked information was for 5.4 million people, and the hacker had put a price of 4 million yen on the forum.

An incident impacting some accounts and private information on Twitter
https://privacy.twitter.com/en/blog/2022/an-issue-affecting-some-anonymous-accounts

Hackers might have figured out your secret Twitter accounts - The Verge
https://www.theverge.com/2022/8/7/23295873/hackers-secret-twitter-accounts-security-flaw-vulnerability

Hacker selling Twitter account data of 5.4 million users for $30k
https://www.bleepingcomputer.com/news/security/hacker-selling-twitter-account-data-of-54-million-users-for-30k/

Twitter confirms zero-day used to expose data of 5.4 million accounts
https://www.bleepingcomputer.com/news/security/twitter-confirms-zero-day-used-to-expose-data-of-54-million-accounts/

According to Twitter, the vulnerability is that when someone submits a phone number or email address to the system, it notifies which Twitter account it is associated with. It is believed that the vulnerability was caused by the code update in June 2021, and was reported through the bug bounty program in January 2022, and was immediately investigated and fixed.

Security company HackerOne has released a timeline for this vulnerability, reported on January 2, 2022, completed response on January 14, 2022, rewarded $ 5040 (about 680,000 yen) I know the money has been paid.

#1439026 Discoverability by phone number/email restriction bypass
https://hackerone.com/reports/1439026

However, a user named 'devil' on the forum had obtained 5,485,636 data before this correction and sold it for $ 30,000 (about 4 million yen). devil claims the data includes celebrities and companies.

The news site Bleeping Computer reported that data stolen from Twitter was being sold on July 22, 2022, and made an inquiry to Twitter, but at this point Twitter said, ``We have not been able to confirm a data breach. ” was the answer.