Twitter announced it had fixed a security flaw that allowed attackers to collect data on 5.4 million platform accounts – the database was put up for sale on one of cybercriminals’ dark side. The vulnerability made it possible to specify a phone number or email address and find out if a social network account was linked to it.
The vulnerability appeared during a code update in June 2021, cleared platform management. Information on this was received in January 2022 – the bug was quickly identified and fixed, and the expert who reported the issue received a $6,000 reward. The issue has been described as a “serious threat” to users – the vulnerability could be used to create a database that would contain a significant portion of Twitter users. There have already been precedents: in 2019, the expert was able to match 17 million telephone numbers with service accounts.
Unfortunately, the problem became known too late: In the six months since its introduction, hackers managed to exploit the vulnerability and collect a database of email addresses and phone numbers – a total of 5.4 million records. The fact that the database was offered for sale only became known on Twitter in July: the company’s specialists examined a sample of the presented data and confirmed that the attackers had exploited the vulnerability before it was officially discovered. The platform pledged to notify users affected by the incident individually.