Twitter confirms January breach, urges pseudonymous accounts to not add email or phone number

Twitter officially confirmed that a January breach led to the leak of information connected to 5.4 million accounts. 

Two weeks ago, a hacker on Breach Forums offered email addresses and phone numbers connected to the accounts, which they said ranged from “celebrities, companies, randoms, OGs, etc.”

Researchers immediately tied the post to a vulnerability in Twitter’s platform that was discovered in January by a security researcher who reported the issue through HackerOne, which operates a bug bounty platform used by Twitter.

Twitter told The Record on July 22 that it would investigate the issue. On Friday, the company confirmed both that the information was obtained through the vulnerability and that the stolen information was legitimate.

The social media giant said the vulnerability allowed anyone to enter a phone number or email address when logging in to learn if that information was tied to an existing Twitter account. It could also be used to identify the specific account associated with that information.

“We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened,” the company explained.

For those who have pseudonymous Twitter accounts, the company said it “deeply regret[s] that this happened” and understands the risks the incident can introduce.

Twitter recommended not adding a publicly known phone number or email address to a Twitter account for those interested in keeping their identity concealed. 

The company noted that the original bug that caused the breach came from an update to the platform’s code in June 2021. 

“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said.

They fixed the bug and claimed they had no evidence showing it had been exploited. On the HackerOne platform, Twitter acknowledged the issue on January 6, paid a $5,040 bounty and resolved the vulnerability by January 13. The researcher confirmed that the vulnerability was fixed that same day. 

But in July, RestorePrivacy reported that a hacker — going by the name “devil” — was selling information compiled through the exploitation of the bug. 

Their security team reviewed a sample of it and confirmed that it was legitimate. 

Affected accounts will be notified directly but Twitter said they decided to publish the update because it was unable to confirm every account that was potentially impacted.

Twitter added that it is “particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.”

The company added that even though no passwords were exposed, everyone should enable two-factor authentication or other security measures. 

RestorePrivacy spoke with the hacker behind the breach in July. The hacker said they are selling it for “nothing lower than 30k.” It is unclear whether the trove of data was sold.