Twitter says it has closed a security hole that allowed hackers to collect data on more than 5 million accounts and then sell it on a well-known underground marketplace for cybercrime.
Because of this flaw, the real identities of people behind pseudonymous accounts on Twitter could have been revealed if they had entered the phone number or email address of a known user.
In a brief statement released on Friday, the microblogging giant explained that its “systems would tell the person what Twitter account, if any, the submitted email addresses or phone numbers were associated with.”
Six months after the bug was introduced to Twitter’s codebase, in January, it was finally patched thanks to a bug bounty report by a security researcher who was paid $6,000 for reporting the flaw.
The bug bounty report stated that this flaw could be exploited to “create a database” or “enumerate a big chunk of the Twitter user base,” and thus posed a “serious threat” to users with private or pseudonymous accounts. This is very similar to a bug that was found at the end of 2019 and allowed a security researcher to link 17 million phone numbers to their respective Twitter accounts.
The scientist’s warning, however, arrived too late. Within that six-month window, hackers were able to compile a list of 5.4 million Twitter users’ email addresses and phone numbers.
Twitter said it found out about the abuse through an unnamed media report in July. The report uncovered a listing on a cybercrime forum boasting to have user data “from celebrities to companies,” as well as “OGs,” which are unique or highly sought-after social media and gaming usernames.
Twitter said that it had “confirmed that a bad actor had taken advantage of the issue before it was addressed” after reviewing a sample of the data for sale. All users whose accounts we are able to verify as being compromised will be notified directly.
It’s the most recent Twitter security breach in recent memory. When users set up two-factor authentication on Twitter, the company obtained their phone numbers and emails and then used them for targeted advertising without their permission, prompting Twitter to settle with the Federal Trade Commission in May for $150 million.