Twitter recently announced the existence of a security vulnerability that poses a particular risk for anonymous and pseudonymous Twitter accounts.
On Friday, the popular social media platform published a blog statement describing the nature of the security vulnerability, which, if exploited, could let someone send contact information (phone numbers, email addresses) to Twitter’s systems, which would then “tell the person what Twitter account the submitted email addresses or phone number are associated with, if any.” Essentially, with this bug, if you had someone’s contact information, you could use it to figure out which accounts on Twitter were theirs.
And while Twitter says that this vulnerability has been fixed, the bug unfortunately hadn’t been fixed before someone took advantage of it.
According to Twitter’s blog statement, the bug was reported to Twitter in January 2022 and it “immediately investigated and fixed it.” But then, in July, it discovered via “a press report” that someone had already exploited the vulnerability and was now trying to sell the data they collected. Twitter then reviewed a sample of that data and was able to verify that someone had “taken advantage of the issue before it was addressed.”
While Twitter says that it will be contacting the owners of accounts that were affected by this bug and its subsequent breach, that pertains only to account owners that it can confirm were affected. In fact, the blog post announcement of this incident was published because Twitter says it’s not able to confirm all of the accounts that could have been affected and that it is also concerned about “pseudonymous accounts” being targeted by “state or other actors.” It is also worth noting that Twitter said that passwords were not exposed in this breach.
Twitter did offer some advice for those with pseudonymous accounts: Don’t add a publicly available email address or phone number to your Twitter account. And for all Twitter users: Use two-factor authentication for logging in.
