Twitter hacker steals 5 million celebrity, company, and anonymous accounts’ personal information

There is nothing that users can do to protect their information in this issue

Adam Smith
Monday 08 August 2022 10:48 BST

A Twitter breach has allowed hackers to find the account names and email addresses associated with millions of accounts.

This includes accounts of people who would rather keep their information pseudonymous, such as whistleblowers and celebrity accounts.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account”, Twitter said in a blog post confirming the attack.

It also said there is nothing that users can do to protect their information in this issue, but users should enable two-factor authentication on all accounts to better protect against future breaches.

Twitter received a report at the start of this year about a vulnerability in its system, whereby if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.

This bug originated in June 2021, with Twitter fixing the issue. The company said at the time that it had no evidence of a malicious individual using this exploit, but that changed in July 2022 when it was reported that information about over 5.4 million accounts were being sold on a hacker forum for $30,000.

"Hello, today I present you data collected on multiple users who use Twitter via a vulnerability. (5485636 users to be exact)," the forums post selling the Twitter data stated, as reported by Bleeping Computer. "These users range from Celebrities, to Companies, randoms, OGs, etc."

Twitter says it will be “directly notifying the account owners we can confirm were affected by this issue”, adding that it is “publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors”.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in