Twitter said on Friday that it has fixed a security vulnerability that allowed threat actors to compile information of 5.4 million Twitter accounts.
The vulnerability allowed anyone to enter a phone number or an email address of a known user and learn if it was tied to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.
In a statement released on Friday, the company said, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”
The bug resulted from an update to code in June 2021. After a bug bounty report by a security researcher, the company investigated and fixed it in January, Twitter said in the statement.
According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a big chunk of the Twitter user base.”
Hackers had already exploited the vulnerability before its fixation to create a database of email addresses and phone numbers of 5.4 million Twitter accounts, a report by TechCrunch said.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.”