Twitter had a serious security flaw; over 5 million accounts might have been exposed

Unfortunately, we have some bad news for all Twitter users. The social media has recently confirmed on its Privacy Center page that its platform had a security flaw, which allowed bad actors to find out if a phone number or email address was associated with an account, and, if so, which one. All the hacker needed to do was to input phone numbers or email addresses into the log-in field, and the platform would show them the connected profiles.

The vulnerability was actually a bug caused by an update code released in June 2021. In January 2022, which, mind you, is a whole six months after the update, Twitter received a report from its bug bounty program for the existence of a flaw in its systems. According to Twitter, when it learned about the problem, it immediately fixed it. If you are not familiar with Twitter's bug bounty program, it is an initiative that enables security experts and researchers to report discovered vulnerabilities in Twitter's systems.

As Twitter shared, there was no evidence at that time that someone used the bug to access personal information. However, in July 2022, the people at Twitter found a "press report" that someone had exploited the vulnerability before it was patched and was now selling the data they had compiled. When Twitter read the press report, it immediately began an investigation and confirmed that, indeed, "a bad actor had taken advantage of the issue before it was addressed." Most likely, the report in question was an article by BleepingComputer revealing that a hacker is selling Twitter account data of 5.4 million users for $30k in a hacker forum.

Now, Twitter didn't say the exact number of the affected accounts. Furthermore, in its blog post, the social media stated that it wasn't "able to confirm every account that was potentially impacted." But it hinted that some of the victims in the attack were users with pseudonymous profiles. That is why it advises such users to not add a publicly known phone number or email address to their Twitter account. However, in the hacker forum, the person who committed the attack claimed that the stolen data contained information about celebrities, companies, and random users. They also gave an exact number: 5,485,636.

We should note that, according to Twitter, no passwords have been exposed. But nevertheless, the social media platform advises users to "enable 2-factor authentication using authentication apps or hardware security keys" in order to protect their accounts. Twitter also stated that it will be notifying the account owners it can confirm were affected by the attack.

As Twitter said, if you are concerned about your account's safety or have questions about how it protects your personal information, you can fill out this form and reach out to Twitter's Office of Data Protection.