Twitter on Friday revealed {that a} now-patched zero-day bug was used to hyperlink cellphone numbers and emails to person accounts on the social media platform.
“Because of the vulnerability, if somebody submitted an e mail deal with or cellphone quantity to Twitter’s methods, Twitter’s methods would inform the individual what Twitter account the submitted e mail addresses or cellphone quantity was related to, if any,” the corporate stated in an advisory.
Twitter stated the bug, which it was made conscious of in January 2022, stemmed from a code change launched in June 2021. No passwords had been uncovered on account of the incident.
The six-month delay in making this public stems from new proof final month that an unidentified actor had probably taken benefit of the flaw earlier than the repair to scrape person info and promote it for revenue on Breach Boards.
Though Twitter did not reveal the precise variety of impacted customers, the discussion board publish made by the menace actor exhibits that the flaw was exploited to compile a listing containing allegedly over 5.48 million person account profiles.
Restore Privateness, which disclosed the breach late final month, stated the database was being bought for $30,000.
Twitter acknowledged it is within the technique of straight notifying account house owners affected by the problem, whereas additionally urging customers to activate two-factor authentication to safe in opposition to unauthorized logins.
The event comes as Twitter, in Could, agreed to pay a $150 million fantastic to settle a grievance from the U.S. Justice Division that alleged the corporate between 2014 and 2019 used info account holders supplied for safety verification for promoting functions with out their consent.