“Associating a private email address and phone number associated with a Twitter account has the potential to add an additional dimension to this data breach.
“From what we know so far, it seems likely that an additional attack could be or could have already been launched against high-profile users with MFA enabled. We’ve seen what can happen when accounts are compromised on Twitter – usually some sort of cryptocurrency scam attempt – and while there’s been no evidence of such an attack recently, users should be on the lookout for unexpected login attempts or unsolicited messages and calls.
“Outside of Twitter, there is a possibility that attackers could use the phone number to spoof MFA requests from other services (such as those associated with an @icloud or @gmail account)
“Also, while bug bounties are great for finding vulnerabilities, it’s still up to the company to ensure they have sufficiently closed the gap as well as the ability to hunt through historical activity to find evidence of exploration, otherwise they risk embarrassment publicly only as Twitter over the past few days. Either way, this incident is not a good look for Twitter after a tumultuous few months.”
