Twitter revealed on Friday that a now-fixed zero-day flaw was used to link phone numbers and emails to user accounts on the social media platform. “As a result of the vulnerability, when someone submits an email address or phone number to Twitter’s systems, Twitter’s systems tell the person which Twitter account the email address or number was sent to.” on the associated phone, if any, the company said in a notice. Twitter said the breach, which was discovered in January 2022, stemmed from a code change introduced in June 2021.
No passwords were exposed as a result of the incident. The six-month delay in disclosure stems from new evidence last month that an unknown player may have exploited the pre-patched bug to scrape and sell user information. this is for the profit of Breach Forums. Although Twitter did not disclose the exact number of affected users, a forum post published by the threat indicated that the flaw was exploited to amass a list of more than 5.48 million account profiles per user.
Restore Privacy, which disclosed the breach late last month, said the database was sold for $30,000. Twitter said it is in the process of notifying affected account owners directly, while urging users to enable two-factor authentication to protect against unauthorized access. The development comes as Twitter agreed in May to pay a $150 million fine to settle a US Department of Justice complaint that alleged the company used account holder information for security verification for advertising purposes between 2014 and 2019. 2019 without her permission.