A Twitter vulnerability allowed a bad actor to learn account names associated with certain email addresses and phone numbers (and yes, that could include your secret Stan celebrity accounts), Twitter confirmed on Friday. Twitter initially patched the issue in January after receiving a report through its bug bounty program, but a hacker was able to exploit the flaw before Twitter became aware of it.
The vulnerability, which stemmed from a June 2021 token platform update, remained unnoticed until earlier this year. This gave hackers several months to exploit the flaw, although Twitter said it had “no evidence to suggest that someone exploited the vulnerability” at the time of its discovery.
past months report from sleeping computer He suggested otherwise, revealing that a hacker managed to exploit the vulnerability while flying under Twitter’s radar. The hacker reportedly amassed a database of more than 5.4 million accounts by taking advantage of the flaw, then attempted to sell the information on a hacker forum for $30,000. After analyzing the data posted on the forum, Twitter confirmed that its user data had been hacked.
It’s still unclear how many users are actually affected, and Twitter doesn’t seem to know either. While Twitter says it plans to notify affected users, it is “unable to confirm every account potentially affected.” Twitter advises anyone interested in their secret accounts to enable two-factor authentication, as well as attach an email address or phone number unknown to the public to the account they don’t want to be associated with.