Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform.
“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in an advisory.
Twitter said the bug, which it was made aware of in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident.
The six-month delay in making this public stems from new evidence last month that an unidentified actor had potentially taken advantage of the flaw before the fix to scrape user information and sell it for profit on Breach Forums.
Although Twitter didn’t reveal the exact number of impacted users, the forum post made by the threat actor shows that the flaw was presumably exploited to compile a list containing allegedly over 5.48 million user account profiles.
Restore Privacy, which disclosed the breach late last month, said the database was being sold for $30,000.
Twitter stated it’s in the process of directly notifying account owners affected by the issue, while also urging users to turn on two-factor authentication to secure against unauthorized logins.
The development comes as Twitter, in May, agreed to pay a $150 million fine to settle a complaint from the U.S. Justice Department that alleged the company between 2014 and 2019 used information account holders provided for security verification for advertising purposes without their consent.