Twitter has confirmed a vulnerability in its code led to a knowledge publicity late final yr. In a weblog put up revealed on Friday, the corporate stated a malicious actor took benefit of a zero-day flaw earlier than it turned conscious of and patched the problem in January 2022. The vulnerability was found by a safety researcher who contacted Twitter by means of the corporate’s bug bounty program.
When Twitter first realized of the flaw, it stated it had “no evidence” to counsel it had been exploited. However, a person informed Bleeping Computer final month that they took benefit of the vulnerability to acquire information on greater than 5.4 million accounts. Twitter stated it couldn’t verify what number of customers have been affected by the publicity. The vulnerability allowed the unhealthy actor to find out whether or not an e mail tackle or telephone quantity was tied to an present Twitter account. In flip, they may use that data to find out the id of an account’s proprietor.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter stated. “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened.”
Twitter stated it might instantly notify each account proprietor it may verify was affected by the publicity. For customers making an attempt to maintain their id hidden, the corporate recommends not including a publicly recognized telephone quantity or e mail tackle to an account. It additionally suggests including two-factor authentication.