Twitter claims to have patched a security flaw that allowed threat actors to compile information on 5.4 million Twitter accounts, which were listed for sale on a known cybercrime forum.
The vulnerability allowed anyone to enter a known user’s phone number or email address and find out if it was linked to an existing Twitter account, potentially exposing the identity of pseudonymous accounts.
In a brief statement published on Friday, the microblogging giant said, “If someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person which Twitter account the email addresses or telephone number submitted were associated, if applicable”.
Twitter said it patched the bug in January – six months after the bug was initially introduced to its codebase – after a bug bounty report by a security researcher, who was awarded $6,000 for disclosing the vulnerability.
According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a large portion of the user base. of Twitter”. It looks like a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers to Twitter accounts.
But the researcher’s warning came too late. Hackers had already exploited the vulnerability during that six-month window to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.
Twitter said it learned of the exploit from an unspecified press report in July, which found a listing on a cybercrime forum claiming to have user data “from celebrities to corporations”, and OGs, referring to custom or highly sought-after social media and games. usernames.
“After reviewing a sample of available for sale data, we have confirmed that a bad actor took advantage of the issue before it was resolved,” Twitter said. “We will notify account owners directly who we can confirm have been affected by this issue.”
It’s the latest security incident to hit Twitter in years. In May, Twitter agreed to pay $150 million as part of a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users submitted to set up two-factor authentication, for targeted advertising.