Twitter fixes security bug, exposes at least 5.4M accounts


Twitter announced that it resolved a security issue that enabled hackers to compile information from 5.4 million Twitter accounts, which were listed for sale on a cyber crime forum. Again, the vulnerability has been fixed. Affected Twitter users are expected to receive notification.

Twitter’s security bug

The vulnerability enabled anyone to type the phone number or email address belonging to a known Twitter user to learn about whether or not it was tied to an existing Twitter account, potentially exposing pseudonymous account identities.

In a statement published today, Twitter said “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”

Twitter fixes the bug

Twitter says that it fixed the bug in January. The bug was initially introduced into the Twitter code-base in July of 2021. A security researcher reported the bug amidst a bug bounty program and was awarded $6,000 for disclosing the vulnerability.

The bug bounty report explains that the vulnerability posed a “serious threat” to users who maintain private or pseudonymous accounts. Theoretically, the bug could have co-opted for purposes of creating a data base or to enumerate a large swatch of the Twitter user-base.

Twitter’s skeleton bugs

This vulnerability appears similar to a Twitter bug discovered in late 2019. Said bug enabled security researchers to match 17 million phone numbers to Twitter accounts.

The recent warning

The recent bug warning

Read more

Explore the site

More from the blog

Latest News