Twitter announced on Aug. 5 that it found a security flaw in its system that enabled a threat actor to learn about whether a phone number or an email address was associated with an existing Twitter account, after 5.4 million Twitter accounts were reportedly exposed by a threat actor.
In a security advisory, Twitter said that in January 2022, it received a report about a vulnerability that enabled a person to submit an email address or phone number to Twitter’s systems and learn about any existing Twitter account that was associated with the provided data.
The report was submitted by a user named “zhirinovskiy” on HackerOne, a vulnerability coordination and bug bounty platform. The user described the vulnerability issue and how it could be exploited. Five days later, Twitter acknowledged the matter and rewarded zhirinovskiy with a $5,040 bounty for the report.
“This bug resulted from an update to our code in June 2021,” Twitter said on Aug. 5 of the security flaw. “When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
The announcement continued: “In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
RestorePrivacy, a digital privacy group, reported in late July that a person who used the alias “devil” said on a hacking forum called “Breached Forums” that they were selling data gathered from some 5.4 million Twitter users. The person said the data involves the Twitter accounts of celebrities, companies, and others.
Bleeping Computer said in July it spoke to the person, who said they used a vulnerability to gather the data in December 2021. The data was on sale for $30,000 and that there were interested buyers. It is unclear whether the data has been sold.
Twitter said it will be “directly notifying” Twitter account owners that were confirmed to have been affected.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the company said.
Twitter said that people who operate pseudonymous accounts—accounts using a different name to their real names—should not add a publicly-known phone number or email address to their Twitter account.
“While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins,” Twitter added.