Twitter has confirmed a vulnerability in its code led to a data exposure late last year. In a blog post published on Friday, the company said a malicious actor took advantage of a zero-day flaw before it became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company’s bug bounty program.
When Twitter first learned of the flaw, it said it had “no evidence” to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure. The vulnerability allowed the bad actor to determine whether an email address or phone number was tied to an existing Twitter account. In turn, they could use that information to determine the identity of an account’s owner.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter said. “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened.”
Twitter said it would directly notify every account owner it could confirm was affected by the exposure. For users trying to keep their identity hidden, the company recommends not adding a publicly known phone number or email address to an account. It also suggests adding two-factor authentication.