Twitter says it has fixed a security vulnerability that allowed threat actors to harvest information on 5.4 million Twitter accounts that were listed for sale on a popular cybercrime forum.
The vulnerability allowed anyone to enter a phone number or email address of a known user and learn if it was linked to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.
In one short statement published Friday, the microblogging giant said, “if someone were to submit an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the email address or phone number was associated with. phone delivered, if any”.
Twitter said it fixed the flaw in January — six months after the flaw was first introduced into its codebase — following a bug bounty report by a security researcher who was paid $6,000 for discovering the vulnerability.
According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private accounts or pseudonyms and could be used to “create a database” or enumerate “a large portion of Twitter’s user base.” . It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers to Twitter accounts.
But the researcher’s warning came too late. Hackers had already exploited the vulnerability during that six-month period to create a database of the email addresses and phone numbers of 5.4 million Twitter accounts.
Twitter said it learned of the exploit from an unspecified press report in July, which found a listing on a cybercrime forum that claimed to have user data “from celebrities to companies” and OG, referring to the social media and common or highly requested games. usernames.
“After reviewing a sample of data available for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will directly notify account owners that we can confirm are affected by this issue.”
This is the latest security incident to hit Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses that users submitted to set up two-factor authentication for targeted ads.
