Last Friday, Twitter confirmed a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. Twitter said the bug, which it was made aware of in January 2022, stemmed from a code change introduced in June 2021. No passwords were exposed as a result of the incident. Twitter’s press release did not state the exact number of impacted users, but posts on dark web forums suggest over 5.48 million user profiles were impacted. The data was reportedly being sold for $30,000.
Twitter offered the following advice on how to best protect accounts:
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.
While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins. If you’re concerned about the safety of your account, or have any questions about how we protect your personal information, you can reach out to our Office of Data protection through this form.”