Written by Tonya Riley
Twitter confirmed Friday that a bad actor used a vulnerability to match private information with potentially anonymous Twitter accounts, posing risks to users privacy.
The vulnerability allowed someone to match an email or phone number to any Twitter accounts tied to that information and the name of the accounts, Twitter wrote in a press blog.
“We can confirm the impact was global,” a Twitter spokesperson said in an email. “We cannot determine exactly how many accounts were impacted or the location of the account holders.”
No passwords were compromised in the breach.
Twitter said it would directly notify account owners it confirmed were affected. The company did not provide a number of accounts it confirmed as affected by the security breach. However, news outlet Bleeping Computer reported in July that the threat actor allegedly put data from 5.4 million users up for sale after exploiting the breach. Twitter notes that it became aware of the data abuse through a press report but does not cite the source or any additional details.
The social media giant noted it could not confirm the full impact of the breach.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter said in a blog.
The exposure could put accounts using anonymity as a guard against harassment and potential violence, especially accounts belonging to dissidents of authoritarian regimes, in serious harm. Such a massive set of data could also be exploited for commercial purposes including advertising.
Twitter addressed the vulnerability after a researcher reported it through the company’s bug bounty program in January 2022, which means any accounts created after then should be unaffected by the incident. The company says the bug was the result from a 2021 code update.
This isn’t Twitter’s first stumble with consumer privacy. In May, Twitter agreed to pay a $150 million fine to settle a complaint from the Justice Department alleging the company between 2014 and 2019 used information account holders provided for security verification for advertising purposes without user permission. In 2020, Irish regulators fined Twitter nearly half a million dollars for a bug that exposed private tweets.
The company is warning users to not tie sensitive data to anonymous accounts.
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” Twitter wrote in its blog Friday. “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”