1 What the Bug Exposed
Because of the vulnerability, anyone could enter a phone number or email address of a Twitter user and see if it was connected to an existing Twitter account. That would potentially reveal the identity of anyone who intended to operate an account under a pseudonym.
“If someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in a statement on Friday.
2 Is the Problem Fixed?
Twitter said the bug had been introduced into its code in June 2021 and that it fixed the issue in January, after it was notified of the hack through its “bug bounty” program. At that time, the company “had no evidence to suggest someone had taken advantage of the vulnerability.”
3 Stolen Email Addresses and Phone Numbers
But hackers had already created a database of email addresses and phone numbers behind the 5.4 million Twitter accounts and were intending to sell them. Twitter said it learned about this from a press report in July.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” the company said. “We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”
4 How to Keep Your Account Safe
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” Twitter said. “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.“ae0fcc31ae342fd3a1346ebb1f342fcb
The company added: “While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins.”
5 Just the Latest Security Breach for Twitter
TechCrunch noted that this is just the latest in a series of security issues Twitter has faced in recent years. In May, the company agreed to pay $150 million in a settlement with the Federal Trade Commission after misusing user phone numbers and email addresses. The company used them for targeted advertising, which users had not authorized; they had only submitted them for two-factor security authentication.