A new report has revealed that more than 5.4 million Twitter accounts have been compromised following a bug that was used by hackers.

User records were stolen through an application programming interface (API) attack, which allowed the hackers to access private phone numbers and email addresses, according to The Independent.

The news outlet says that a report from BleepingComputer – released over the weekend – highlighted that an issue made public in December 2021 and patched in January 2022 was targeted by the hackers. They then began selling the stolen data in July 2022.

Twitter said that it “deeply regretted” allowing the incident to happen and that it would notify any users impacted.

However, security experts have warned that the full extent of how the hackers may exploit the data is unknown as of yet. Other security experts have said that Twitter users need to be cautious and look out for any suspicious emails or text messages that claim to be from Twitter in the coming weeks.

The report warns that cyber criminals with access to non-public Twitter data could use it to carry out phishing attacks to trick people into clicking on links that divert them to pages designed to steal other credentials or money.