Hackers may have found out about your secret Twitter accounts

A Twitter security vulnerability allowed a bad actor to discover the account names associated with certain email addresses and phone numbers (and yes, that could include your secret celebrity-stan accounts), This was confirmed by Twitter on Friday. Twitter first fixed the problem in January after receiving a report through its bug bounty program, but a hacker managed to exploit the flaw before Twitter even knew about it.

The vulnerability, which stemmed from an update the platform made to its code in June 2021[ads1], went unnoticed until earlier this year. This gave hackers several months to exploit the flaw, although Twitter said it had “no evidence to suggest that anyone had exploited the vulnerability” at the time of discovery.

Last month’s report from Bleeding computer suggested otherwise, revealing that a hacker managed to exploit the vulnerability while it was flying under Twitter’s radar. The hacker allegedly amassed a database of over 5.4 million accounts by exploiting the flaw, then attempted to sell the information on a hacker forum for $30,000. After analyzing the data posted on the forum, Twitter confirmed that user data was compromised.

It’s still unclear how many users have actually been affected, and Twitter doesn’t seem to know either. While Twitter says it plans to notify affected users, it is not “able to confirm all accounts that were potentially affected.” Twitter advises anyone concerned about their secret accounts to enable two-factor authentication, as well as to attach a non-public email address or phone number to the account they do not want to be associated with.