Twitter has confirmed that a hacker was able to exploit a security vulnerability on the social platform earlier this year, gaining access to the private data of millions of users.
In total, 5.4 million accounts were affected, with the attacker able to link account names to email addresses and phone numbers. While the incident took place back in January this year, Twitter has also revealed that the exposed user data was made available to buy just last month. In what will be regarded by many as something of an understatement, the company says that "it is unfortunate that this happened".
In a message posted in its Privacy Center, Twitter alerts users about "an incident impacting some accounts and private information on Twitter". The security vulnerability has now been addressed, and Twitter insists that "there’s no action for you to take specific to this issue".
The company says:
We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.
Twitter will be notifying the owners of accounts that have been directly affected by the incident. It explains what happened:
In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email address or phone number was associated with if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by the state or other actors.
Twitter says that while no passwords were exposed in this incident, it still advises all users to enable two-factor authentication to secure their accounts.
source
