Twitter said on Friday that it has fixed a security vulnerability that allowed threat actors to compile information of 5.4 million Twitter accounts.
The vulnerability allowed anyone to enter a phone number or an e-mail address of a known user and learn if it was tied to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.
In a statement released on Friday, the company said, “if someone submitted an e-mail address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted e-mail addresses or phone number was associated with, if any.”
The bug resulted from an update to code in June 2021. After a bug bounty report by a security researcher, the company investigated and fixed it in January, Twitter said in the statement.
According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a big chunk of the Twitter user base.”
Hackers had already exploited the vulnerability before its fixation to create a database of e-mail addresses and phone numbers of 5.4 million Twitter accounts, a report by TechCrunch said.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.”