Twitter Now Acknowledges Security Bug That Exposed Data from 5.4+ Million Accounts

Last month we were the first to report on a breaking data security incident involving Twitter and a database compiled from 5.4 million accounts that was for sale on a cybercrime forum. Today, Twitter has formally acknowledged the security bug that caused this data breach.

Twitter has now officially acknowledged our “news report” that first broke the story about a threat actor leveraging a security vulnerability to acquire data from 5.4+ million accounts.

Last month, we spoke directly with the threat actor selling the data and we also analyzed the data sample that was being sold, confirming its legitimacy. (See the full report here.)

Today, Twitter is now acknowledging the security bug and the subsequent data breach that impacts “some accounts” — but the full number remains unknown.

Twitter goes on to explain in the report how anyone could acquire Twitter account associated with a given email or phone number.

As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021.

This vulnerability is what allowed a threat actor to compile a database of Twitter account data from over 5.4 million Twitter users. The data included the Twitter user’s account handle, phone and/or email, plus other scraped data.

Below is a redacted sample that we analyzed from the cybercrime forum where the full database was being sold for $30,000.

Unfortunately, the impact of this data breach is difficult to quantify.

Full impact of Twitter data breach remains unknown

Unfortunately, there is really no way to know how many Twitter users this vulnerability impacted.

The threat actor has since removed the listing on the cybercrime forum — and this suggests the database has been sold. Additionally, the sample from the database only contained 10 lines, out of 5.4 million.

There may have also been other databased compiled from this security vulnerability.

Twitter has also acknowledged that they are unable to quantify the scope of this breach:

We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.

How this data breach affects Twitter users

This is a serious data security threat that exposes Twitter users to threat actors and cybercriminals.

As we reported last month, the exact number of accounts listed for sale in the database was 5,485,636 based on the seller’s information. However, there could be even more Twitter user’s affected by this breach — there is no way to know for sure at this time.

Particularly concerning is the fact that many people use pseudonymous accounts that could be exposed in this latest breach, as Twitter now admits.

This data could potentially de-anonymize Twitter users in the database and/or expose users to targeted phishing attempts.

Twitter is recommending people enable two-factor authentication to mitigate risks.

While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins.

Additionally, Twitter is also recommending that people not use a “publicly known phone number or email address” with their Twitter account.

To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Let that one sink in.

Twitter is now saying you should be using a burner email or burner phone number with Twitter, not your real “publicly known” email or phone.

Don’t worry, we’ve got you covered. See our guide on burner email here.