Twitter fixes security flaw that exposed at least 5.4 million accounts – TechCrunch

Twitter says it has fixed a vulnerability that allowed threat actors to collect information on 5.4 million Twitter accounts, which were listed for sale on a well-known cybercrime forum.

The vulnerability allowed anyone to enter a known user’s phone number or email address and see if it was linked to an existing Twitter account, potentially exposing the identities of aliases.

in brief statement “If someone submits an email address or phone number to Twitter systems, Twitter systems will tell the person which Twitter account is associated with the email addresses or phone number associated with it, if any,” said the microblogging giant, which was posted on Friday.

Twitter said it fixed the flaw in January — six months after the bug was initially entered into its code base — after a bug bounty report by a security researcher, who was awarded $6,000 for exposing the vulnerability.

According to a bug bounty report, the vulnerability posed a “serious threat” to users with private or alias accounts, and could be used to “create a database” or enumerate a “significant portion of Twitter’s user base”. It is similar to a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers to Twitter accounts.

But the researcher’s warning came too late. Hackers already exploited the vulnerability during that six-month window to create a database of email addresses and phone numbers for 5.4 million Twitter accounts.

Twitter said it learned of the exploit from an unidentified press report in July, which found a listing in a cybercrime forum claiming to have user data “from celebrities to corporations,” and OGs, referring to social media and custom or highly sought-after games. Usernames.

“After reviewing a sample of data available for sale, we have confirmed that a bad actor took advantage of the issue before it was addressed,” Twitter said. “We will notify account owners directly who we can confirm are affected by this issue.”

It’s the latest security incident to hit Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users provided to set up two-factor authentication, for targeted ads.