Twitter confirmed a cyberattack that compromised data from 5.4 million users, prompting the platform to plan notifications informing affected individuals that their confidential information may have been exposed.
Earlier this year, Twitter participated in HackerOne’s bug bounty program. The program invites researchers to probe a company’s security, report vulnerabilities, and receive monetary rewards for responsible disclosure. A threat actor or tester highlighted a vulnerability that could be exploited to access user data, as described on a security blog associated with the program.
HackerOne acts as an intermediary, linking corporate teams with ethical hackers who rigorously test security controls, identify weaknesses, and disclose findings in exchange for financial rewards. In this case, a tester working within the platform identified a flaw during the process of verifying duplicate accounts, with the individual using the handle zhirinovskiy.
The flaw allowed an attacker to retrieve a Twitter ID simply by supplying an email address or phone number, provided that an account was associated with that contact detail. Twitter later acknowledged in a privacy blog post that the issue stemmed from a security code update implemented in June 2021.
Upon discovering the problem, Twitter states that it launched an immediate internal investigation and took steps to remediate the vulnerability. At the time of discovery, the company asserted that there was no evidence of exploitation. Nonetheless, in July this year, independent outlets such as RestorePrivacy reported data collection and potential leaks affecting 5.4 million accounts, noting that the information appeared for sale on certain hacker forums.
Following a review of the data advertised on these forums, Twitter confirmed that the issue had indeed been present prior to the rollout of a fix and that steps were taken to address it months earlier. The company has since notified owners of affected accounts that their data may have been exposed, while acknowledging that some users might not fully comprehend the extent of what was accessed.
To help users safeguard their accounts, Twitter recommended a series of protective measures, including enabling two factor authentication and reviewing connected devices and active sessions. The security guidance emphasized that attackers did not gain access to Twitter account credentials through the reported vulnerability. In addition, the company advised anonymous account holders to avoid linking their accounts to publicly visible phone numbers or email addresses to minimize exposure risk.
Overall, the incident underscores the ongoing need for rigorous vulnerability management, prompt incident response, and user-centric security practices across social media platforms. It also illustrates how bug bounty programs can surface real security gaps, while reminding users that strong authentication and careful privacy settings remain essential defenses against unauthorized access. Researchers and security teams continue to collaborate to reduce risk and improve resilience in the face of evolving cyber threats. (Source: security researchers and corporate disclosures; Attribution: RestorePrivacy reporting and HackerOne program updates)