Last week, Twitter confirmed that a vulnerability in its systems led to a threat actor collating the information of millions of users. The vulnerability allowed anyone on the platform to find the accounts associated with any phone number and email address.
Twitter acknowledged the incident in response to a July HackerOne report that claimed personal information of Twitter users was offered for sale on a dark web marketplace for $30,000. The microblogging company didn’t confirm the number of accounts whose information was collected but sampled some of the on-sale data and verified that a threat actor had indeed exploited the flaw.
Twitter, slapped with a $150 million privacy-related fineOpens a new window in May 2022 and currently in the middle of a takeover pending lawsuit against Elon Musk, said the bug was introduced on the platform in June 2021 and that it had already fixed the vulnerability in January 2022.
It means Twitter was clueless about the flaw for at least six months until it was reported under its bug bounty program, during which the threat actor, going by the name devil, amassed this information. Twitter paid the researcher, going by the name zhirinovskiy on HackerOne, $5,040 under its bug bounty program.
5.4 Million Twitter User Database for Sale in July 2022 | Source: RestorePrivacy.comOpens a new window
â€œAs a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,â€ Twitter explained.
This includes any alt or secret accounts users may have used on the platform to maintain privacy. The company added, â€œWe are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.â€
Translation: more than 5.4 million users could be impacted by the vulnerability. Affected users/accounts that Twitter can confirm should expect a notification from the company.
In the meantime, Twitter advised pseudonymous Twitter account owners not to add publicly known phone numbers to their accounts.