How Twitter Fixed a Critical Bug and Stopped a 5.4M‑Account Data Leak

Twitter announced that its engineering team has just fixed a critical security vulnerability that allowed attackers to obtain information from more than 5.4 million Twitter accounts.

A hacker managed to acquire a large batch of Twitter usernames and associated data, then listed the stolen dataset for sale on the Breached Forums marketplace.

The seller claimed the database contains user data ranging from celebrities to companies, including email addresses and phone numbers, and offered a sample CSV file. The entire dataset was priced at US $30,000.

Breached Forums verified the authenticity of the leak, stating: “We downloaded the sample database for verification and analysis. The data includes people worldwide, with publicly available profiles and the email or phone number linked to each Twitter account.”

Twitter’s response explained that the issue was discovered through its bug‑bounty program. The report indicated that when an email address or phone number was submitted to Twitter’s system, the platform returned the associated Twitter account, if any. Upon learning of this, Twitter immediately investigated and patched the flaw.

The vulnerability was reported by researcher “zhirinovskiy” via the HackerOne platform, and after the fix, Twitter awarded a US $5,040 bounty.

This incident highlights a product‑logic problem, urging product managers and developers to pay close attention to system design and data exposure risks.