Twitter announced on Aug. 5 that it found a security flaw in its system that enabled a threat actor to learn about whether a phone number or an email address was associated with an existing Twitter account, after 5.4 million Twitter accounts were reportedly exposed by a threat actor.
In a security advisory, Twitter said that in January 2022, it received a report about a vulnerability that enabled a person to submit an email address or phone number to Twitter’s systems and learn about any existing Twitter account that was associated with the provided data.
“This bug resulted from an update to our code in June 2021,” Twitter said on Aug. 5 of the security flaw. “When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
The announcement continued: “In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
Twitter said it will be “directly notifying” Twitter account owners that were confirmed to have been affected.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the company said.
Twitter said that people who operate pseudonymous accounts—accounts using a different name to their real names—should not add a publicly-known phone number or email address to their Twitter account.
“While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins,” Twitter added.
