At the end of last month a user on the famous hacking forum, Breached Forums goes by the username 'devil', was selling 5.4million Twitter users' accounts. With respect to this, Twitter started investigating the claim and checking the authenticity of the data.
Today, Twitter has confirmed the breach stating that a lousy actor had taken advantage of the vulnerability which they had received through its bug bounty program. However, Twitter had fixed the vulnerability and rewarded a $5,040 monetary reward to bug hunter who reported the vulnerability through the Twitter bug bounty program.
About VulnerabilityTwitter received a vulnerability that allowed anyone to know the email address or phone number of Twitter users. This can be done just by entering a phone number or email address into the log-in flow in the attempt to learn if that information is tied to an existing Twitter account, and if so, which specific account. If someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email address or phone number was associated with, if any.
Microblogging social network updated its code in June 2021 which leads to the cause of the issue.
Notifying the users about the issue Twitter says-
We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.
However, no passwords were exposed, Twitter encourages everyone to enable 2-factor authentication using authentication apps or hardware security keys to protect accounts from unauthorized logins. If you’re concerned about the safety of your account or have any questions about your personal information, you can reach Twitter by filling out this form.