A vulnerability in Twitter's software exposed an undetermined number of owners of anonymous accounts to potential identity compromise last year was apparently exploited by a malicious actor, the social media company said Friday.
It did not confirm a report that 5.4 million users were offered for sale online, but said users worldwide were affected.
The breach is particularly worrisome because many Twitter account owners, including human rights activists, don't disclose their identities in their profiles for security reasons that include fear of persecution by repressive authorities.
This is very bad for many who use pseudonymous Twitter accounts, the U.S. Jeff Kosseff, a data security expert at the Naval Academy, tweeted.
The vulnerability allowed someone to determine if a particular phone number or email address was linked to an existing Twitter account, revealing account owners, the company said.
It did not know how many users may have been affected, and stressed that no passwords were exposed.
We can't determine how many accounts were affected or the location of the account holders. A blog post Friday followed a report by the Digital Privacy advocacy group Restore Privacy last month, detailing how data presumably obtained from the vulnerability was sold on a popular hacking forum for $30,000.
A security researcher discovered the flaw in January, informed Twitter and was paid a reported $5,000 bounty. The bug, which was introduced in a June 2021 software update, was fixed immediately, according to Twitter.
A bad actor took advantage of the issue before it was addressed, according to Twitter after learning about the data sale on the hacking forum from media reports. It was directly notifying all account owners that it could confirm they were affected.
The update was issued because we aren't able to confirm every account that could be impacted, and are particularly mindful of people with pseudonymous accounts that could be targeted by state or other actors, the company said.
It is recommended for users to do not add a publicly known phone number or email address to their Twitter account.
If you operate a pseudonymous Twitter account, we understand the risks an incident like this can bring and deeply regret that this happened, it said.