reported that “…the dumped database says it includes the 5.4 million users’ usernames, display names, bios, locations, email addresses and phone numbers. The attacker amassed the data by exploiting APIs tied to the “let others find you by your phone” feature.”  The November 28, 2022 report entitled ” Cybercrime Forum Dumps Stolen Details on 5.4M Twitter Users” ( included these comments:

According to an analysis conducted by the Breached forum, which is hosting the stolen data, 681,184 of the email addresses, comprising 12% of dumped email addresses, don’t appear to have been previously leaked.

Twitter confirmed the breach in August, saying it had learned about the flaw in January via its bug bounty program and immediately fixed it (see: Twitter Confirms Zero-Day Bug That Exposed 5.4M Accounts).

Twitter said the flaw meant that “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”

Is anyone surprised?