Twitter confirms vulnerability exposed data of anonymous account owners

As many as 5.4 million users may have had their information leaked.

Sponsored Links

BERLIN, GERMANY - MARCH 10: In this photo illustration the logo of Twitter can be seen on a smartphone on March 10, 2022 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Thomas Trutschel via Getty Images

Twitter has confirmed a vulnerability in its code led to a data exposure late last year. In a blog post published on Friday, the company said a malicious actor took advantage of a zero-day flaw before it became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company’s bug bounty program.

When Twitter first learned of the flaw, it said it had “no evidence” to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure. The vulnerability allowed the bad actor to determine whether an email address or phone number was tied to an existing Twitter account. In turn, they could use that information to determine the identity of an account’s owner.

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter said. “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened.”

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

Twitter said it would directly notify every account owner it could confirm was affected by the exposure. For users trying to keep their identity hidden, the company recommends not adding a publicly known phone number or email address to an account. It also suggests adding two-factor authentication.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
Popular on Engadget