Twitter says it has fixed a security vulnerability that allowed threat actors to compile information of 5.4 million Twitter accounts, which were listed for sale on a known cybercrime forum.
The vulnerability allowed anyone to enter a phone number or an email address of a known user and learn if it was tied to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.
In a brief statement published Friday, the microblogging giant said, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”
Twitter said it fixed the bug in January — six months after the bug was initially introduced to its codebase — after a bug bounty report by a security researcher, who was awarded $6,000 for disclosing the vulnerability.
According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a big chunk of the Twitter user base.” It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers to Twitter accounts.
But the researcher’s warning came too late. Hackers had already exploited the vulnerability during that six-month window to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.
Twitter said it learned about the exploitation from an unspecified press report in July, which found a listing on a cybercrime forum claiming to have user data “from celebrities to companies,” and OGs, referring to custom or highly sought-after social media and gaming usernames.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.”
It’s the latest security incident to hit Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users submitted for setting up two-factor authentication, for targeted advertising.