Twitter officially confirmed that a January breach led to the leak of information connected to 5.4 million accounts.
Two weeks ago, a hacker on Breach Forums offered email addresses and phone numbers connected to the accounts, which they said ranged from “celebrities, companies, randoms, OGs, etc.”
Researchers immediately tied the post to a vulnerability in Twitter’s platform that was discovered in January by a security researcher who reported the issue through HackerOne, which operates a bug bounty platform used by Twitter.
Twitter told The Record on July 22 that it would investigate the issue. On Friday, the company confirmed both that the information was obtained through the vulnerability and that the stolen information was legitimate.
The social media giant said the vulnerability allowed anyone to enter a phone number or email address when logging in to learn if that information was tied to an existing Twitter account. It could also be used to identify the specific account associated with that information.
“We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened,” the company explained.
For those who have pseudonymous Twitter accounts, the company said it “deeply regret[s] that this happened” and understands the risks the incident can introduce.
Twitter recommended not adding a publicly known phone number or email address to a Twitter account for those interested in keeping their identity concealed.
The company noted that the original bug that caused the breach came from an update to the platform’s code in June