Twitter confirmed and acknowledged that a vulnerability in its code led to the release of data in late 2021. The company said on Friday that an attacker took advantage of the zero-day vulnerability before it became aware of it and fixed the problem in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through a bug bounty program.
Once Twitter found out about the vulnerability, it stated that it didn’t have enough evidence that it had been exploited. Last month, however, one person told Bleeping Computer that he had used the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the vulnerability.
The vulnerability allowed attackers to determine whether an email address or phone number was tied to an existing Twitter account. In turn, they could use that information to determine the identity of the account owner.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter reported. “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened.”
In addition, Twitter said that it would directly notify all account holders who it can confirm have been affected by the incident. If users want to keep their identities private, the company recommends not adding a publicly known phone number or email address to an account. It also advises adding two-factor authentication.
