Twitter has confirmed that someone exploited a zero-day vulnerability to gain access to user data.
The company says(Opens in a new window) in a blog post about the incident that the vulnerability in question “allowed someone to enter a phone number or email address in the sign-in flow in an attempt to find out if that information is associated with an existing Twitter account and if so, which account. “
Twitter says the flaw was introduced in a June 2021 update, show up(Opens in a new window) by a security researcher in January and then patched later that month. “At the time,” the company says, “we had no evidence to suggest that anyone had exploited the vulnerability.”
Now that has changed. BleepingComputer References(Opens in a new window) that someone exploited this vulnerability to wipe information about 5.4 million Twitter accounts—including the phone number or email address discovered through this flaw as well as publicly available data—before it was patched.
Twitter says it “learned through a press report that someone had potentially exploited this and was offering to sell the information they had gathered” in July. The company then reviewed some of the data that was sold and confirmed that it was legitimate.
“We will directly notify account holders we can confirm were affected by this issue,” Twitter says. “We are issuing this update because we are unable to confirm every account that was potentially affected, and we are especially wary of people with pseudonymous accounts who may be targeted by government or other actors.”
Recommended by our editors
Twitter officially recommends “not adding a publicly known phone number or email address to your Twitter account” if you use a nickname. This advice cannot be applied retroactively, however, and neither can Twitter regularly pressures users(Opens in a new window) to link their phone numbers to their accounts.
Twitter did not immediately respond to a request for comment.
Do you like what you read?
Sign up SecurityWatch newsletter of the top privacy and security stories delivered straight to your inbox.