The personal information of 5.4 million Twitter account users has been compromized due to a zero-day vulnerability that allowed threat actors to breach details and then sell them in a cybercrime forum.

The bug, which has now been patched, allowed cyber criminals to enter any cell phone number or email address and see the specific account it was linked to.

A report by Bleeping Computer said that they spoke to a threat actor who revealed they were able to create a list of 5.4 million Twitter account profiles using a vulnerability on the social media site. The report also said that the information had been sold for around $30,000.

Twitter said in an official statement that: “While there’s no action for you to take specific to this issue, we want to share more about what happened, the steps we’ve taken and some best practices for keeping your account secure.”

The statement also said that: “We will be directly notifying the account owners we can confirm were affected by this issue.”

Twitter were, however, unable to confirm every account affected by the vulnerability and therefore released their statement knowing there are pseudonymous accounts that can be targeted by state or other actors.

In order to protect user’s accounts, Twitter recommends using two-factor authentication: “While no passwords were exposed, we encourage everyone who uses Twitter to enable two-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins.

“If you’re concerned about the safety of your account, or have any questions about how we protect your personal information, you can reach out to our Office of Data protection through this form.”

Return to Security Journal Americas NEWS INDEX