Twitter confirmed a flaw in the company’s code that led to a data breach late last year, with about 5.4 million user data leaked.
According to Engadget, this information was confirmed by Twitter on the company blog last Friday, saying that a bad guy took advantage of the 0-day vulnerability before the company realized and patched it in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company’s bug bounty program.
When Twitter first learned about the vulnerability, the company said it had “no evidence” to suggest it was exploited. However, an individual told Bleeping Computer last month that he used the vulnerability to get data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the leak. The vulnerability allows an attacker to see if an email address or phone number is associated with an existing Twitter account. They can use that information to identify the account owner.
“We are publishing this update because we cannot confirm every potentially affected account, and are particularly mindful of those with anonymous accounts that could be targeted by the state or other actors. pepper. If you run a Twitter account with a nickname, we understand the risks an incident like this can pose and deeply regret that it happened,” Twitter said.
Twitter said it will directly notify any account owners it can confirm affected by the leak. For users who try to hide their identities, the company recommends not adding a public phone number or email address to the account. The company also suggests users add two-factor authentication to their accounts.