Attackers used a so-called zero-day vulnerability to collect the email addresses and phone numbers of millions of Twitter account that went up for sale a few weeks ago. The news service itself has confirmed this.
The data breach became known at the end of July when a hacker tried to spoof the phone numbers and email addresses of 5.4 million Twitter accounts. The attacker collected those profiles in December 2021 via a then-unknown vulnerability on the Twitter website.
The vulnerability allowed anyone to enter an email address or phone number to see if it was linked to a Twitter account and then query the account in question. The attacker used the bug to scrape public information about millions of accounts. In addition to addresses and phone numbers, the profiles also include the number of followers, location, login, and more.
According to Twitter, the vulnerability responsible for the vulnerability was found through a HackerOne bug bounty program in December of last year and patched in January. Twitter is said to be in the process of contacting victims of the leak.