Twitter has confirmed that it was breached last month via a now-patched 0-day vulnerability in Twitter’s systems, allowing an attacker to link email addresses and phone numbers to user accounts. This enabled the attacker to compile a list of 5.4 million Twitter user account profiles.
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously, and it is unfortunate that this happened.”
When a person submits a publicly known email address or phone number to Twitter, the system tells this person what Twitter account the email or phone number is associated with. The attacker took advantage of this and created a list containing 5.4 million Twitter users with scraped publicly available details of the accounts, including whether the account was verified.
This is especially worrying for users who want to remain anonymous on the platform. It's a bit late now, but Twitter recommends anyone trying to stay anonymous should not tie a publicly known phone number or email to their Twitter account.
If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.
According to BleepingComputer, the attacker sold the data on twice, saying that “the data would likely be released for free in the future.”
Twitter introduced the vulnerability after updating its code in June 2021. A threat hunter reported this vulnerability in January 2022, with Twitter eventually awarding the researcher for the find as part of its bug bounty program.
While the company says no passwords were compromised, it continues to encourage users to enable two-factor authentication (2FA) for their accounts, either in the form of authentication apps or hardware keys.