Twitter says it has patched a security vulnerability that allowed threat actors to compile information about 5.4 million Twitter accounts that were listed for sale on a prominent cybercrime forum.
The vulnerability allowed anyone to enter a phone number or email address of a known user and learn if it was associated with an existing Twitter account, potentially revealing the identity of pseudonymous accounts.
IN summary posted on Friday, the microblogging giant said that “if someone submits an email address or phone number to Twitter’s systems, Twitter’s systems will tell the person which Twitter account the submitted email address or phone number is associated with, if any.”
Twitter said it fixed the bug in January — six months after the bug was originally introduced into its codebase — later bug bounty report by a security researcher who received $6,000 for disclosing the vulnerability.
According to the bug bounty report, the vulnerability poses a “serious threat” to users who have personal or pseudonymous accounts and could be used to “create a database” or enumerate “a large portion of Twitter’s user base.” It is similar to vulnerability discovered in late 2019 that allowed a security researcher to link 17 million phone numbers to Twitter accounts.
But the researcher’s warning came too late. Hackers had already used the vulnerability during that six-month window to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.
Twitter said it learned of the exploit from an unspecified source press release in July, which discovered a list on a cybercrime forum that claimed to have user data “from celebrities to companies” and OGs referring to custom or highly searched social media and gaming usernames.
“After reviewing a sample of available sales data, we have confirmed that a bad actor took advantage of the issue before it was addressed,” Twitter said. “We will directly notify account owners that we can confirm are affected by this issue.”
It is latest security incident to hit Twitter in recent years. In May Twitter agreed to pay $150 million in agreement with the Federal Trade Commission after the company misuse of phone numbers and email addressesthat users submitted to set up two-factor authentication for targeted advertising.