Twitter says it fixed a security vulnerability that allowed attackers to subsequently collect information about 5.4 million Twitter accounts that were up for sale on a well-known cybercrime forum.
The vulnerability allowed anyone to enter a known user’s phone number or email address and find out if they were linked to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.
AT brief statement Published on Friday, the microblogging giant said: “If someone submits an email address or phone number to the Twitter systems, the Twitter systems will tell the person which Twitter account the submitted email addresses or phone number, if any, were associated with.”
Twitter said it fixed the bug in January – six months after the bug was originally introduced to its codebase – after bug report a security researcher who received $6,000 for revealing the vulnerability.
According to the bug report, the vulnerability poses a “serious threat” to users with private or pseudonymous accounts, and could be used to “create a database” or count “a large portion of the Twitter user base.” it looks like a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers with Twitter accounts.
But the researcher’s warning came too late. Hackers have already exploited this vulnerability during this six-month window to create a database of email addresses and phone numbers for 5.4 million Twitter accounts.
Twitter said it learned of the exploitation from an unidentified press report in July, a listing was discovered on a cybercrime forum claiming to have “celebrity to company” and OG user data linking to usernames or highly sought after social media and gaming usernames.
“After examining a sample of data available for sale, we confirmed that an attacker took advantage of the issue before it was resolved,” Twitter said in a statement. “We will be directly notifying account holders who we can confirm have been affected by this issue.”
it latest security incident hit Twitter in recent years. May twitter agreed to pay $150 million in an agreement with the Federal Trade Commission after the company misuse of phone numbers and email addresseswhich users sent to set up two-factor authentication, for targeted advertising.
Credit: techcrunch.com /