Twitter has confirmed that someone exploited a zero-day vulnerability to access user data.

The company says in a blog post about the incident that the vulnerability in question "allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account."

Twitter says the flaw was introduced in a June 2021 update, disclosed by a security researcher in January, and then patched later that month. "At that time," the company says, "we had no evidence to suggest someone had taken advantage of the vulnerability."

Now that's changed. BleepingComputer reports that someone exploited this vulnerability to scrape information about 5.4 million Twitter accounts—including the phone number or email address discovered via this flaw as well as publicly available data—before it was patched.

Twitter says it "learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled" in July. The company then reviewed a portion of the data being sold and confirmed that it was legitimate.

"We will be directly notifying the account owners we can confirm were affected by this issue," Twitter says. "We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors."

Twitter officially recommends "not adding a publicly known phone number or email address to your Twitter account" if you're using a pseudonym. That advice can't be applied retroactively, however, and Twitter regularly pushes users to connect their phone numbers to their accounts.

PC Magazine