A loophole enabled bac actors to find out if a phone number or email address was linked to an existing account by just entering the information into a log-in flow.
A Massive Twitter Flaw Left 5.4 Million Accounts Vulnerable with the Data Sold for $30,000
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” Twitter said in a blog post. This security flaw originated from an update to Twitter’s code that was introduced back in June of last year. Twitter fixed the issue after receiving the report last January through the bug bounty program. The company also added that it discovered “no evidence to suggest someone had taken advantage of the vulnerability” when it first got to know about the bug. However, it is also important to worth noting that the bug report came too late because some bad actors had already gone ahead and exploited the flaw. According to a report from Bleeping Computer, a hacker managed to sell a database containing phone numbers and email addresses that were linked to 5.4 million individuals, and this was sold for $30,000. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter confirmed. At the moment, the company did not say how many accounts were affected but it did confirm that the breach affected users with pseudonymous accounts. The database that was sold contained information “about various accounts, including celebrities, companies, and random users.” Twitter is going to go ahead and notify account owners who were affected by this vulnerability. Thankfully, no passwords were compromised as a result of this breach, so you do not have to worry about that.