A Twitter security vulnerability allowed a bad actor to discover the account names associated with certain email addresses and phone numbers (and yes, that could include your secret celebrity stan accounts); Twitter confirmed on Friday. Twitter initially patched the issue in January after receiving a report through its bug bounty program, but a hacker managed to exploit the flaw before Twitter even knew about it.
The vulnerability, which originated from an update the platform made to its code in June 2021, went unnoticed until the beginning of the year. That gave hackers several months to exploit the flaw, though Twitter said it had “no evidence to suggest that anyone had exploited the vulnerability” at the time of its discovery.
of last month report from Bleeping calculator suggested otherwise and revealed that a hacker managed to exploit the vulnerability while flying under Twitter’s radar. The hacker reportedly amassed a database of over 5.4 million accounts by exploiting the flaw and then attempted to sell the information on a hacker forum for $30,000. After analyzing the data posted on the forum, Twitter confirmed that its user data had been compromised.
It’s still unclear how many users have actually been affected, and Twitter doesn’t seem to know. While Twitter says it plans to notify affected users, it is “unable to confirm every account that was potentially affected.” Twitter advises anyone concerned about their secret accounts to turn on two-factor authentication, as well as attach a non-publicly known email address or phone number to the account they don’t want to be associated with.