On Friday, the social media company announced that a now-patched vulnerability was used to link emails and phone numbers to specific user accounts. The zero-day bug was introduced in June of 2021, with Twitter becoming aware of the issue in January of 2022.
An advisory from the company stated that, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.” The reason it took the social media company six months to publicize their findings came from recent evidence that the flaw had been taken advantage of. Prior to being fixed, an unidentified actor may have scraped user information and sold it on Breach Forums for a profit. No passwords were exposed.
The social media platform didn’t reveal exactly how many users were affected, however a post from the suspected threat actor alleged over 5.48 million user profiles were impacted. According to Restore Privacy, the database was selling for $30,000.
Tech giant Twitter said they’re directly notifying account owners and urging individuals to turn on 2FA (two-factor authentication) in order to keep themselves protected.
Sign up to our mailing list to receive more IT related educational information: