Twitter Resolves Security Flaw That Exposed At Least 5.4 Million Accounts

Social media giant Twitter claims to have patched a security hole that allowed threat actors to gather data from 5.4 million accounts that were offered for sale on a well-known marketplace for cybercrime.

The flaw potentially exposed the real identities of pseudonymous accounts by allowing anyone to enter a known user's phone number or email address and find out if it was connected to an active Twitter account.

Twitter claimed in a succinct statement released on Friday that "if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email address or phone number was associated with if any.

"Six months after the flaw was first added to Twitter's software, the company says it was addressed in January as a result of a bug bounty report from a security researcher who received $6,000 for revealing the vulnerability.

The vulnerability could be used to "build a database" or count "a significant portion of the Twitter user base," according to the bug bounty report, and posed a risk to users who have private or pseudonymous accounts.

A security researcher was able to link 17 million phone numbers to Twitter accounts thanks to a flaw that was found in late 2019.

However, the researcher's advice was too late.

During that six-month period, hackers had already used the flaw to compile a database of 5.4 million Twitter account email addresses and phone numbers.

According to Twitter, it learned about the exploitation from an unnamed press report published in July that uncovered a listing on a forum for cybercriminals that claimed to have user information on "celebrities to companies" and "OGs," which is a term for unique or highly desired social media and gaming usernames.

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. 

“We will be directly notifying the account owners we can confirm were affected by this issue.”

The most recent security incident to affect Twitter in recent years is this one.

Twitter reached a settlement with the Federal Trade Commission in May and agreed to pay $150 million after the business exploited users' phone numbers and email addresses that they provided to set up two-factor authentication for targeted advertising.