What you need to know
- Twitter was hit with a new security vulnerability, which has been fixed.
- The vulnerability enabled hackers to identify which account an email address or phone number is associated with.
- This potentially exposed the real identity of pseudonymous accounts.
A Twitter bug left the identities of millions of secret accounts exposed through a hacker forum, the microblogging service has confirmed, adding that it has since fixed the vulnerability.
The loophole enabled bad actors to find out if a phone number or email address was associated with an existing account by just entering these pieces of information into the log-in flow.
"As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," Twitter said in a blog post.
The security flaw stemmed from an update to Twitter's code introduced in June of last year. Twitter fixed the issue after receiving a report last January through its bug bounty program. The company added that it found "no evidence to suggest someone had taken advantage of the vulnerability" when it first learned about the bug.
However, the bug report came too late because some bad actors had already exploited the flaw. According to a Bleeping Computer report, a hacker sold a database containing phone numbers and email addresses tied to 5.4 million accounts via a hacker forum for $30,000.
"After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed," Twitter confirmed.
The company did not say how many accounts were affected, but it did say the breach potentially affected users with pseudonymous accounts. The database for sale, according to Bleeping Computer, contains information "about various accounts, including celebrities, companies, and random users."
Twitter will notify account owners affected by this vulnerability. For users with secret accounts, the platform recommends "not adding a publicly known phone number or email address" to their Twitter accounts to hide their identity.
Fortunately, no passwords were compromised as a result of the hack. Nonetheless, the service encourages users to enable two-factor authentication through the use of authentication apps or hardware security keys.
