A security vulnerability in Twitter has allowed a bad actor to discover account names associated with certain email addresses and phone numbers (and yes, that could include your secret celebrity accounts), Twitter confirmed on Friday. Twitter initially patched the issue in January after receiving a report through its bug bounty program, but a hacker managed to exploit the flaw before Twitter even knew about it.
The vulnerability, which stems from an update the platform made to its code in June 2021, went unnoticed until earlier this year. This gave hackers several months to exploit the flaw, although Twitter said it “had no evidence to suggest anyone took advantage of the vulnerability” at the time of its discovery.
Last month’s report beeping computer suggested otherwise and revealed that a hacker had managed to exploit the vulnerability as it flew under Twitter’s radar. The hacker allegedly amassed a database of more than 5.4 million accounts by taking advantage of the flaw, then attempted to sell the information on a hacker forum for $30,000. After analyzing data posted to the forum, Twitter confirmed that its user data had been compromised.
It’s still unclear how many users were actually affected, and Twitter doesn’t seem to know either. While Twitter says it plans to notify affected users, it is not “able to confirm each potentially impacted account.” Twitter advises anyone concerned about their secret accounts to turn on two-factor authentication, as well as attach an email address or phone number that isn’t publicly known to the account they don’t want to be associated with. .