A security flaw on Twitter allowed criminals to find out the account names associated with certain email addresses and phone numbers (yes, this could include your secret celebrity stan account), Twitter confirmed Friday. Twitter initially fixed the issue after receiving reports through its bug bounty program in January, but a hacker managed to exploit the vulnerability before Twitter even knew about it.
The vulnerability stemmed from an update the platform made to its code in June 2021 and was not noticed until earlier this year. That gave hackers months to exploit the flaw, although Twitter said it had “no evidence that anyone exploited it” at the time of its discovery.
last month reported from beeping computer It was suggested otherwise, and it was revealed that hackers managed to exploit the vulnerability while flying under Twitter’s radar. Hackers reportedly exploited the flaw to amass a database of more than 5.4 million accounts, then tried to sell the information on hacking forums for $30,000. After analyzing the data posted on the forum, Twitter confirmed that its user data had been compromised.
It’s unclear how many users were actually affected, though, and Twitter doesn’t seem to know either. While Twitter said it planned to notify affected users, it “was unable to identify every account that may have been affected.” Twitter recommends anyone who cares about their secret accounts enable two-factor authentication and include unlisted email addresses or phone numbers for accounts they don’t want to link.