Twitter has patched a security vulnerability that enabled malicious hackers to gather data from 5.4 million Twitter accounts and sell it on the Dark Web. The twitter bug permitted anyone to submit a known user’s phone number or email address to see if it was linked to an existing Twitter account, possibly revealing the identity of an user.
In a brief statement published Friday about the Twitter bug, the microblogging platform said, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with if any.”
How was The Twitter Bug discovered?
Twitter says it patched the vulnerability in January, six months after it was first discovered in its platform, following a bug bounty report by a security researcher who received $6,000 for discovering the bug.
The security vulnerability that was submitted through the Twitter bug bounty program constituted a “severe threat” to users with private or pseudonymous accounts, according to the bug bounty report, and could be used to “build a database” or identify “a large section of the Twitter user base.” It’s identical to a late 2019 bug that allowed a security researcher to connect 17 million phone numbers to Twitter accounts.
However, the researcher’s warning about the Twitter bug was too late. During the six months, hackers had previously leveraged the weakness to generate a database of 5.4 million Twitter accounts’ email addresses and phone numbers.
The company added, “while no passwords were exposed, we encourage everyone who uses Twitter to enable two-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins.”
Twitter stated that it got to know about the exploitation from an undisclosed press report in July, which discovered a listing on a cybercrime forum asserting to have user data “from celebrities to companies,” as well as OGs.
After evaluating a selection of the data available for sale, Twitter reported that a malicious attacker took advantage of the vulnerability before it was patched. The company will be directly informing the account owners who have been affected by this incident.