- Twitter informed about a vulnerability that allowed any third party to obtain Twitter ID by entering a phone number or email address into the log-in.
- An update to Twitter code in June 2021 caused this vulnerability. Currently, Twitter is not able to confirm if every account was potentially impacted.
- An author called Devil made it public that it had information about 5.4 million users including celebrities, companies, random users, etc., and asked for at least $30,000 for the database.
In a recent Twitter blog post, the company made aware of a vulnerability that allowed anyone to enter a phone number or email address into the log-in and learn whether there is a Twitter ID connecting to that credential. Apparently, this vulnerability let some cyber actors find out about the Twitter IDs of millions of users and put the related information on sale on breach forums.
A database of 5.4 million users might be stolen
Twitter was notified about this bug during a bug bounty program. A HackerOne user called “Zhirinovsky” alerted the company in January of 2022. The bug is described as allowing any party without any verification to get a Twitter ID by submitting only a phone number or an email address. In its report Zhirinovsky stated;
« The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. »
Twitter said this vulnerability was caused by an update to their code in June 2021. The company did not mention in its blog post how many of its user’s data was breached. It only stated that it had fixed the flaw immediately after it had been reported. During that time, the company did not know if any information was stolen as a result of the vulnerability. But in July, they learned that someone had potentially taken advantage of it indeed. An author called Devil allegedly claimed to have information about 5.4 million users including celebrities, companies, and random users and put the information sale on breached forums. The seller asked for at least $30,000 for the database.

As a response, Twitter said they will be directly notifying the account owners that were affected by this bug. They published the news because they are not able to confirm if every account was potentially impacted. The company suggests the users use a pseudonymous account to keep their identity as veiled as possible and not add a publicly known phone number or email address to their Twitter account.