- The stolen data had been offered for sale on a cybercrime forum;
- Vulnerability exposed the identities of pseudonymous accounts;
- Twitter said it fixed the bug six months after it was deployed to its codebase.
Twitter said it fixed a security vulnerability that allowed cybercriminals to compile information from 5.4 million Twitter accounts. The stolen data had been put up for sale on a well-known cybercrime forum.
The vulnerability allowed anyone to enter a known user’s phone number or email address and learn if it was linked to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.
In a brief statement published on Friday, the microblogging giant said: “If someone were to send an email address or phone number to Twitter’s systems, the systems would tell the person to which Twitter account the email addresses were. email or phone number sent were associated, if any”.
Twitter said it fixed the bug in January – six months after the bug was initially introduced into its codebase – following a bug bounty report by a security researcher, who was paid $6,000 for disclosing the vulnerability.
According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts and could be used to “build a database” or enumerate “a large portion of Twitter’s user base.” ”. It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to associate 17 million phone numbers with Twitter accounts.
But the researcher’s warning came too late. Hackers had already exploited the vulnerability during that six-month period to create a database of email addresses and phone numbers from 5.4 million Twitter accounts.