Twitter says it has fixed a security vulnerability that allowed threat actors to collect information about 5.4 million Twitter accounts for sale on a well-known cybercrime forum.
The vulnerability allowed anyone to enter a phone number or email address of a known user and discover if it was linked to an existing Twitter account, potentially revealing the identities of pseudonymous accounts.
In a short statement published on Friday, the microblogging giant said: “If someone sent an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person which Twitter account the submitted email address or phone number was associated with, if applicable.”
Twitter said it fixed the bug in January — six months after the bug was first introduced to its codebase — following a bug bounty report by a security researcher, who received $6,000 for revealing the vulnerability.
According to the bug bounty report, the vulnerability posed a “serious threat” to users with private or pseudonymous accounts, and could be used to “create a database” or enumerate “a large portion of the Twitter user base.” It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to link 17 million phone numbers to Twitter accounts.
But the investigator’s warning came too late. Hackers had already exploited the vulnerability during that six-month period to create a database of email addresses and phone numbers for 5.4 million Twitter accounts.
Twitter said it learned in July about the exploitation of an unspecified press release, which found an entry on a cybercrime forum that claimed to have user data “from celebrities to businesses,” and OGs, referring to custom or highly sought-after social media and gaming. usernames.
“After reviewing a sample of the data available for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will notify the account owners directly who we can confirm are affected by this issue.”
It is the latest security incident to have occurred on Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses users provided to set up two-factor authentication for targeted advertising.