An API bug was abused to collect over 5.4 million account's data. Specifically emails, phone numbers, and general account statistics. These were all obtained in January 2022.
A zero-day in Twitter’s backend allowed people to obtain information, both public and private, about people’s accounts that could be potentially used for malicious purposes. The only way to have prevented this is by using burner emails or VOIP phone numbers.
ID, Name, Display Name, Location, URL, Description, Protected status, Follower count, Friend count, List count, Account creation date, Favorite count, Verified, Statuses count, Translator status, Profile picture URL, Email, Phone Number (if given)
Emails and phone numbers can be used to send out phishing emails/texts to grab passwords which could lead to unauthorized access to people’s accounts, there is no evidence of the data being used for this exact purpose though.
Sources can be found here.