Last month BleepingComputer learned that hackers said they could exploit a vulnerability on the social media site to create a list of 5.4 million Twitter account profiles.
This vulnerability allows anyone to submit an email address or phone number, verify that it is associated with a Twitter account, and retrieve the associated account ID.Threat actors then use this ID to scrape the account's public information.
This allowed attackers to create profiles of 5.4 million Twitter users in December 2021, including verified phone numbers or email addresses, and scrape public information such asFollower count, screen name, login name, location, profile picture URL and other information.
BleepingComputer later learned that two different threat actors purchased the data for less than the original selling price, and that the data may be released for free in the future.
Today, Twitter has confirmed that threat actors used the same vulnerabilities in December that they reported and fixed in January 2022 as part of their HackerOne bug bounty program.a part of.
Twitter disclosed in today's security advisory: "In January 2022, we received a vulnerability report through our bug bounty program that allowed someone to identifyThe email or phone number associated with the account, or, if they know someone's email or phone number, they can identify their Twitter account, if one exists."