Twitter fixes security bug that exposed at least 5.4 million accounts

Twitter fixes security bug that exposed at least 5.4 million accounts
Image Credits: Leon Neal/Getty Images

Twitter says it has fixed a vulnerability that allowed anyone to enter a phone number or an email address and find its linked Twitter account, potentially violating user anonymity and putting undercover celebrities and influencers at risk of exposure. A number of threat actors exploited the vulnerability to compile the information of 5.4 million Twitter accounts and list them for sale on a known cybercrime forum.

A famous security researcher published a bug bounty report tipping the platform to the vulnerability in January, six months after it was initially introduced to its codebase. Hackers, however, had already exploited the vulnerability in that six-month window.

According to the report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a big chunk of the Twitter user base.” 

Despite the early tip, it wasn’t until another press report was published in July that Twitter took action. The report covered a listing on a cybercrime forum claiming to have user data “from celebrities to companies,” and OGs, referring to custom or highly sought-after social media and gaming usernames.

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.” 

The social media platform proceeded to award the famous security researcher $6,000 for his efforts.

This is not the first time Twitter’s database has been compromised. A similar vulnerability was discovered in 2019 that allowed another security researcher to match 17 million phone numbers to Twitter accounts.

In May, Twitter also agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users submitted for setting up two-factor authentication, for targeted advertising.

If you see something out of place or would like to contribute to this story, check out our Ethics and Policy section.