The microblogging site Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users’ accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.

While Twitter is forthcoming about details of the breach, it doesn’t change the fact that the attacker still has the user account data at their disposal. The attacker told BleepingComputer last month about being able to compile profiles of 5,485,636 accounts with information such as location, URL, profile picture, and other data. They used a vulnerability that allowed anyone to query a phone number or email to check on an active Twitter account and then obtain the account information.

Buy Me A Coffee
Source: Bleepingcomputer

Crucially, the data was being offered for roughly $30,000 as per the publication, though it was reportedly sold for a significantly lesser amount to at least two separate people. The attacker also said at the time the data could end up being released for free, putting the privacy of millions of users at risk.

Twitter said it is notifying each affected user, but admitted that it cannot confirm every account that was exposed due to this security loophole. Accounts run by people who may be sought by governments or other terrorist groups may use the breached dataset to track down their targets. Passwords were not part of the data breach, but the company is advising users to turn on two-factor authentication for their accounts — considering that phone numbers are a threat vector, users should go for either an authentication app or a hardware key, both of which can be set up in the Twitter app’s settings.

CERT-In Finds Multiple Vulnerabilities in Android, Advises Users to Update