A security vulnerability on Twitter allowed a bad actor to find out the account names associated with certain email addresses and phone numbers (and yes, that could include your secret celebrity stan accounts), Twitter confirmed on Friday. Twitter initially patched the issue in January after receiving a report through its bug bounty program, but a hacker managed to exploit the flaw before Twitter even knew about it.
The vulnerability, which stemmed from an update the platform made to its code in June 2021, went unnoticed until earlier this year. This gave hackers several months to exploit the flaw, although Twitter said it “had no evidence to suggest someone had taken advantage of the vulnerability” at the time of its discovery.
Last month’s report from Bleeping Computer suggested otherwise, and revealed that a hacker managed to exploit the vulnerability while it flew under Twitter’s radar. The hacker reportedly amassed a database of over 5.4 million accounts by taking advantage of the flaw, and then tried to sell the information on a hacker forum for $30,000. After analyzing the data posted to the forum, Twitter confirmed that its user data had been compromised.
It’s still unclear how many users have actually been affected though, and Twitter doesn’t seem to know, either. While Twitter says it plans on notifying affected users, it isn’t “able to confirm every account that was potentially impacted.” Twitter advises anyone concerned about their secret accounts to enable two-factor authentication, as well as to attach an email address or phone number that isn’t publicly known to the account they don’t want to be associated with.