Hackers said they could exploit a vulnerability on the social media site to create a list of 5.4 million Twitter account profiles, BleepingComputer learned last month.
This vulnerability allows anyone to submit an email address or phone number, verify that it is associated with a Twitter account, and retrieve the associated account ID. Threat actors then use this ID to scrape the account’s public information.
This allowed attackers to create profiles of 5.4 million Twitter users in December 2021, including verified phone numbers or email addresses, and scrape public information such as follower counts, screen names, logins, locations, individuals Profile picture URL and other information.
BleepingComputer later learned that two different threat actors purchased the data for less than the original selling price, and that the data may be released for free in the future.
Today, Twitter has confirmed that threat actors are using the same vulnerabilities in December that they reported and fixed in January 2022 as part of their HackerOne bug bounty program.
Twitter disclosed in today’s security advisory: “In January 2022, we received a report of a vulnerability through our bug bounty program that allowed someone to identify the email or phone number associated with an account, or, if They know someone’s email or phone number, and they can identify their Twitter account, if it exists.”