The 5.4 million accounts leaked included Twitter IDs with their associated phone numbers and email information, and were sold on a hacking forum for $30,000 (about RMB 202,800), according to a July 22 Restore Privacy report.
Today, Twitter has officially confirmed that the attack has occurred and that the 0-day vulnerability has been patched.
Twitter officials said it had learned of the vulnerability through its bug bounty program HackerOne back in January of this year, and that the vulnerability emerged gradually after an update to its code in June 2021. While the issue was addressed earlier this year, Twitter said it did not consider the possibility that the attacker already had the data.
According to previous reports, a total of 5,485,636 Twitter accounts’ personal data, which included cell phone numbers, locations, URLs, profile pictures and other data information, were stolen.
Twitter said it is notifying every affected user, but officials could not fully confirm which accounts were exposed due to the security breach. In addition, while passwords were not part of the data breach, Twitter is advising users to turn on double authentication for their accounts.
