Twitter admits breach that exposed phone numbers, email addresses

Twitter said Friday that a security flaw in its system allowed a hacker to collect the phone number and email address information associated with some user accounts.

Why it matters: Twitter said the security flaw was on its system for six months before it was discovered in January 2022, potentially exposing the information tied to pseudonymous accounts — some of which may have belonged to whistleblowers, human rights activists and other dissidents.

Details: The flaw in Twitter’s systems allowed hackers with access to submit an email address or phone number and see if it was associated with an existing account.

• Twitter patched the flaw in January, but Friday’s announcement acknowledges that at least one hacker took advantage of the flaw before then.
• Last month, Twitter said, it became aware through a news report that the hacker was selling that information on the dark web.
• While the company didn’t say which news report, BleepingComputer reported in July that someone was selling information from 5.4 million Twitter users — collected through the same flaw — for $30,000.

Between the lines: This breach could be a huge problem for people who rely on pseudonymous accounts to remain safe online. Many human rights activists, government dissidents and journalists commonly use fake names online to avoid government surveillance and retaliation.

What’s next: Twitter said it plans to notify the account owners it can confirm were affected by the breach, but the company isn’t able to “confirm every account that was potentially impacted.”

• Twitter recommends that people who rely on pseudonymous accounts remove their known phone numbers and email address from their accounts.