Twitter confirmed that 5.4 million users of the platform were victims of the cyberattack that resulted in their data being stolen and leaked, where it would send a notification stating that their confidential information was exposed.

Earlier in the year, the platform received a report of a security breach that scammers could exploit to gain access to their users’ data, through the bug and bounty program run by the HackerOne firm, just as its blog now disclosed.

In particular, the HackerOne platform connects companies like Twitter with hackers so they can test the social network’s security measures, look for flaws and detect them in exchange for financial rewards.

During the process of verifying a duplicate account, a HackerOne user known as ‘zhirinovskiy’ discovered the vulnerability in the Android version of Twitter.

This security breach allowed anyone who entered an email address or phone number to access the corresponding Twitter ID if there was an account associated with that email or number.

As the company recently acknowledged, in an entry posted in the Privacy section of its blog, this system bug was the result of an update to the security code implemented in June 2021.

• This is how Twitter will notify if added tweets have been modified

Twitter stated that when it became aware of this issue, it “immediately” investigated and fixed it. “At the time, we had no evidence that anyone was exploiting the vulnerability,” he said.

However, in July of this year, private media like RestorePrivacy reported that data from 5.4 million accounts had been collected and leaked; This information was later made available for sale on the hacking forum Breached Forums.

After reviewing the data that cybercriminals were marketing on this forum, the social network confirmed that they took advantage of the existing issue before offering a solution months ago.

In this way, he confirmed that the privacy of these users had been breached and stated that he will continue to notify owners of affected accounts that their data has been leaked, but that those affected do not really know all of them.

For users to protect their accounts and protect the information they contain, the company has proposed a set of instructions, such as enabling two-factor authentication. However, he pointed out that in this attack, the threat actors did not have access to the access credentials.

In addition, Twitter recommended that anonymous account holders not associate their account with a “public” phone number or email to keep their identity as private as possible.