Over 5.4 million Twitter users have reportedly been targeted in a major breach of personal data following revelations earlier this year that the site had a serious security flaw.
The security flaw came to light in January, when a user on HackerOne named “zhirinovskiy” pointed out that Twitter was vulnerable to hackers seeking to use information for malicious purposes.
At the time, Zhirinovskiy detailed exactly how to exploit the bug and described it as a “serious threat” even in the hands of those with only a “basic knowledge” of scripting and coding.
Twitter acknowledged the problem five days later and appeared to have fixed the problem a week after that, when it rewarded Zhirinovskiy with a $5,040 bounty for bringing the vulnerability to its attention.
Despite the fix, the phone numbers and email addresses of millions of users, including celebrities, companies, and day-to-day account holders or those with desirable handles, were apparently accessed, and now are being sold via a post on a dark web site called Breached Forums, according to RestorePrivacy.
A seller with the username ‘devil’ claims that “Celebrities, to Companies, randoms, OGs, etc” are included in the data set and is asking for at least $30,000, RestorePrivacy says.
A spokesperson from Twitter told Fortune: “We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability.”
The spokesperson added that Twitter was “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”
Known hacking forum
Breached Forums is the same hacking forum responsible for the leak of 23 terabytes of data from 1 billion Chinese Citizens, which some experts say is the largest data breach in history. The hacker attempted to sell the database for 10 Bitcoin, now equivalent to $202,000.
Meanwhile, other large tech companies have suffered greater breaches—including T-Mobile, which last year had 76.6 million users’ data breached in a cyberattack.
Users aware of the Twitter breach have complained that they only heard through other security services such as Norton and LifeLock.
The breach comes at a difficult moment for Twitter, only weeks after Elon Musk announced plans to pull out of his $44 billion purchase of the platform, citing its failure to prove that bots make up fewer than 5% of its users as one of the reasons.
Editor’s note: A reference that AT&T suffered a similar data breach that affected 70 million users in 2021 has been removed. AT&T has always denied its systems were ever breached.
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.