A security vulnerability on Twitter allowed a bad actor to figure out the account names associated with certain email addresses and phone numbers (and yes, those could be your secret celebrity-stan accounts), Twitter confirmed on Friday. Twitter initially patched the issue in January after receiving a report through its bug bounty program, but a hacker managed to exploit the flaw before Twitter even knew about it.
The vulnerability, which resulted from an update the platform made to its code in June 2021, went undetected until earlier this year. This gave hackers several months to exploit the vulnerability, although Twitter said it had “no evidence to suggest that anyone had exploited the vulnerability” at the time of discovery.
Last month’s report from beeping computer suggested otherwise, revealing that a hacker managed to exploit the vulnerability while flying under Twitter’s radar. The hacker reportedly amassed a database of more than 5.4 million accounts using the flaw, then attempted to sell the information on a hacker forum for $30,000. After analyzing the data posted to the forum, Twitter confirmed that the user data had been compromised.
However, it’s still unclear how many users were actually affected, and Twitter doesn’t seem to know either. While Twitter says it plans to notify affected users, it is not “able to confirm every account that may have been affected”. Twitter advises anyone concerned about their secret accounts to turn on two-factor authentication and add an email address or phone number that is not publicly known to the account they don’t want to be associated with.