Security News > 2022 > August > Twitter confirms zero-day used to expose data of 5.4 million accounts
Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users' accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.
Last month, BleepingComputer spoke to a threat actor who said that they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site.
Today, Twitter has confirmed that the vulnerability used by the threat actor in December is the same one reported to and fixed by them in January 2022 as part of their HackerOne bug bounty program.
"In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person's email or phone number, they could identify their Twitter account, if one existed," Twitter disclosed in a security advisory today.
The threat actor claims to have used the flaw to gather the data of 5,485,636 Twitter users.
"We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors," warned the Twitter advisory.