Twitter has officially confirmed that a security vulnerability in its code led to the exposure of user information. The company said in a blog post that a malicious actor took advantage of the issue before it was identified and fixed.
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,” Twitter wrote.
In July, media reports emerged that a database containing account details of over 5.4 million Twitter users was put up for sale on a hacker forum for $30,000. The database included information about various accounts, including celebrities, companies, and random users. After analyzing a sample of the available data for sale, Twitter confirmed that its user data had been compromised.
While Twitter said it is notifying the account owners affected by the breach, the company didn’t disclose the number of impacted users as “we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”