Millions of anonymous Twitter accounts may be at risk of an information leak.
Twitter says it was made aware of a vulnerability in January that saw its systems tell someone if a particular email address or phone number they submitted was associated with a specific account. The social media giant received the report through its bug bounty program, it said in a blog post on Friday.
Twitter said the bug resulted from a June 2021 code update, and it fixed the issue when it became aware of it. There wasn’t evidence to suggest anyone took advantage of the bug at the time.
However, the company learned of a report last month that a bad actor took advantage of the information. BleepingComputer, spoke with an individual who accessed the information of 5.4 million accounts.
Twitter says it is notifying as many impacted accounts as it can but says it won’t be possible to inform all of them.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” Twitter writes in the blog post.