Hackers Exploit Twitter Vulnerability To Exposes 5.4M Account

Twitter on Friday revealed that some threat actor used a now-patched zero-day bug to link phone numbers and emails to user accounts on the social media platform.

The company said that as a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, it would tell the person the associated account.

Twitter Acknowledge the Vulnerability

Twitter said the bug, which it was made aware of in January 2022, stemmed from a code change initiated in June 2021. The firm did not lose any password to this attempt.

The six-month hesitation in making this public stems from new evidence last month that an anonymous actor had potentially taken advantage of the flaw before the fix to scrape user information and sell it for profit on Breach Forums.

Although Twitter did not disclose the exact number those who affected by the campaign, the threat actor said that they have the information of more than 5.48 million user.

Restore Privacy, which disclosed the breach late last month, said the database was being sold for $30,000.

Twitter stated it’s in the process of directly notifying account owners affected by the issue, while also urging users to turn on two-factor authentication to secure against unauthorized logins.

The aftermath comes as Twitter, in May, agreed to pay a $150 million fine to settle disapproval from the U.S. Justice Department that alleged the company between 2014 and 2019 used information account holders provided for security verification for promotion purposes without their permission.