Avatar photo

By Faizel Patel

Senior Digital Journalist


Twitter fixes security flaw which may have exposed over 5 million accounts

Twitter did not share how many accounts were affected, but it did say the breach potentially affected users with pseudonymous accounts.


Social media giant Twitter has fixed a new security vulnerability which enabled hackers to find out if a phone number or email address was associated with an existing account by just entering these pieces of information into the log-in flow.

The bug left the identities of millions of secret accounts exposed.

In a blog post, Twitter said it fixed the issue after receiving are report last January, through its bug bounty programme.

“As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,” Twitter said.

ALSO READ: Meta announces expansion of NFT support on Instagram

However, the bug report came too late because some bad actors had already exploited the flaw.

“In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”

“According to a Bleeping Computer report, a hacker sold a database containing phone numbers and email addresses tied to 5.4 million accounts via a hacker forum for $30 000.

Android Central reports that Twitter did not share how many accounts were affected, but it did say the breach potentially affected users with pseudonymous accounts.

“The database for sale, according to Bleeping Computer, contains information “about various accounts, including celebrities, companies, and random users.”

Twitter said it will notify account owners affected by this vulnerability.

How to Protect Your Account

“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

“While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorised logins.

“If you’re concerned about the safety of your account, or have any questions about how we protect your personal information, you can reach out to our Office of Data protection,” Twitter said.

ALSO READ: Twitter tests new “Status” feature

Read more on these topics

hackers Social Media Twitter

For more news your way

Download our app and read this and other great stories on the move. Available for Android and iOS.