"000", a member of the data base-sharing forum RaidForums, on Monday posted information about clients who registered before February, 2018.
He later published his contact information for journalists. BNS contacted him via the Telegram app.
"Everything I posted is all I have. If I spent more time, I probably could've gotten the latest info," the hacker said, adding that CityBee's data protection is really bad and anyone with a bit of IT knowledge could have gotten access to it.
"CityBee was using a service provided by Microsoft called Azure Blob, which is used as storage of some sorts. Now Microsoft allows you to secure those blobs with authentication, which Citybee for some reason chose not to," he said.
"Now, for researchers, hackers, coders etc. there's something called DNS records, almost like a phone book which branches out to other domains that are related to the main domain. I was able to search CityBee in a DNS record called CNAME which linked to their azure blob and other things like their website," "000" said.
He said he found CityBee accidently as he's mainly interested in data of US companies. The hacker also said he did not expect this case to attract so much attention.
"At first I thought it would just be another leak gaining me a couple of credits. But in the morning I saw that my thread blew up and looked at Lithuanian news and saw the damage," he said.
The RaidForums user, who said he was acting with other users "Goofy TaeTae" and "ISUPK", said he's sorry for the damage incurred by CityBee users, stressing, however, that such data leaks happen daily.
"I have sympathetic feelings towards average citizens, not so much to the rich and government officials," he said.
The news about the data leak broke on Monday night. CityBee says data of 110,000 clients leaked, including emails, phone numbers, personal codes and enciphered passwords.
Lithuania's Criminal Police Bureau has already launched an investigation into data theft. Those responsible are facing a fine or up to four years in prison.
CityBee CEO Kristijonas Kaikaris told a press conference yesterday that the hackers did not steal customers' payment information because the company does not collect such data.
CityBee has urged users registered before February, 2018 to change their passwords, as well as change them in other systems if they yse similar passwords there.
CityBee operates in Lithuania, Latvia, Estonia and Poland. The company owns a fleet of over 2,000 vehicles and has a registered customer base of more than 750,000 people.