A vulnerability in Twitter’s software program that uncovered an undetermined variety of homeowners of nameless accounts to potential id compromise final yr was apparently exploited by a malicious actor, the social media firm mentioned Friday.

It didn’t verify a report that information on 5.4 million customers was provided on the market on-line in consequence however mentioned customers worldwide had been affected.

The breach is very worrisome as a result of many Twitter account homeowners, together with human rights activists, don’t disclose their identities of their profiles for safety causes that embrace worry of persecution by repressive authorities.

“This is very bad for many who use pseudonymous Twitter accounts,” US Naval Academy data security expert Jeff Kosseff tweeted.

The vulnerability allowed someone to determine during log-in whether a particular phone number or email address was tied to an existing Twitter account, thereby revealing account owners, the company said.

Twitter said it did not know how many users may have been affected, and stressed that no passwords were exposed.

“We can confirm the impact was global,” a Twitter spokesperson mentioned through electronic mail. “We cannot determine exactly how many accounts were impacted or the location of the account holders.”

Twitter’s acknowledgment in a blog post Friday followed a report last month by the digital privacy advocacy group Restore Privacy detailing how data presumably obtained from the vulnerability was being sold on a popular hacking forum for $30,000 (roughly Rs. 28.9 lakh).

A security researcher discovered the flaw in January, informed Twitter and was paid a reported $5,000 (roughly Rs. 4 lakh) bounty. Twitter said the bug, introduced in a June 2021 software update, was immediately fixed.

Twitter said it learned about the data sale on the hacking forum from media reports and “confirmed that a bad actor had taken advantage of the issue before it was addressed.”

It mentioned it was straight notifying all account homeowners that it could verify had been affected.

“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the corporate mentioned.

It really useful customers searching for to maintain their identities veiled not add a publicly identified cellphone quantity or electronic mail handle to their Twitter account.

“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” it mentioned.

The revelation of the breach comes whereas Twitter is in a authorized battle with Tesla CEO Elon Musk over his try to again out from his earlier supply to purchase San Francisco-based Twitter for $44 billion (roughly Rs. 3,500 crore).