Twitter on Friday disclosed that a patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform.
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email address or phone number was associated with, if any”, the company. said in a tip.
Twitter said the flaw, which was announced in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident.
The six-month delay in making this public stems from new evidence last month that an unidentified actor had potentially taken advantage of the pre-fix flaw to delete user information and sell it for profit on Breach Forums.
Although Twitter did not disclose the exact number of affected users, the forum post made by the threat actor indicates that the flaw was apparently exploited to compile a list that allegedly contained over 5.48 million user account profiles.
Restore Privacy, which disclosed the breach late last month, said the database was being sold for $30,000.
Twitter said it is in the process of directly notifying owners of accounts affected by the problem, while also urging users to enable two-factor authentication to secure against unauthorized logins.
The development comes after Twitter, in May, agreed to pay a $150 million fine to settle a complaint by the US Department of Justice that alleged the company between 2014 and 2019 used account holders’ secured information to verify security for advertising purposes without their consent.
