Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with
Hackers Exploit Twitter Vulnerability to Expose 5.4 Million Accounts
Ravie Lakshmanan with The Hacker News reports:
Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform.
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in an advisory.
Twitter said the bug, which it was made aware of in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident.
The six-month delay in making this public stems from new evidence last month that an unidentified actor had potentially taken advantage of the flaw before the fix to scrape user information and sell it for profit on Breach Forums.
Although Twitter didn’t reveal the exact number of impacted users, the forum post made by the threat actor shows that the flaw was exploited to compile a list containing allegedly over 5.48 million user account profiles.
Restore Privacy, which disclosed the breach late last month, said the database was being sold for $30,000.