Twitter has confirmed that the phone numbers and email addresses from 5.4 million accounts have been stolen due to the zero-day vulnerability on the platform that was originally flagged in January 2022.
The vulnerability meant that if a bad actor entered a phone number or email address and attempted to log in, they were able to learn if that information was associated with an existing account. This then led to the email address and phone numbers associated with 5.4 million accounts being put up for sale on the hacking forum, Breach Forums.
Twitter said in a statement that it “will be directly notifying the account owners [it] can confirm were affected by this issue”.
In a previous article by CS Hub on July 27, it was reported that many of the accounts that were up for sale, according to the hacker belonged to, “celebrities, companies, randoms, OGs, etc.”. ‘OGs’ refers to Twitter handles that are either made up of a desirable word like a first name or are very short and contain only a few letters.
Twitter went on to suggest that those who operate “pseudonymous” accounts like OGs that may have been affected by the breach “keep [their] identity as veiled as possible by not adding a publicly known phone number or email address” to their Twitter account. The company clarified that while no passwords were compromised in the breach, it encourages “everyone who uses Twitter to enable 2-factor authentication using apps or hardware security keys to protect your account from unauthorized logins”.