On Friday, the social media company said that a vulnerability in Twitter’s software that exposed an uncertain number of unknown accounts to potential identity compromise was exploited by a malicious actor.
It did not confirm a report that data from 5.4 million users were offered for sale online as a result but said users around the world were affected.
The breach is particularly worrying because many Twitter account owners, including human rights activists, do not disclose their identities in their profiles for security reasons, including fear of harassment by repressive authorities.
Twitter said it did not know how many users may have been affected and stressed that no passwords were exposed.
“We can confirm the impact was global,” a Twitter spokesperson said via email. “We cannot determine exactly how many accounts were impacted or the location of the account holders.”
Twitter’s approval in a blog post on Friday restores privacy following a report last month by a digital privacy advocacy group that suggested data potentially derived from the vulnerability was being sold on a popular hacking forum for $30,000. .
In January, a security researcher discovered the flaw, informed Twitter, and was awarded a $5,000 reward. Twitter said the bug introduced in the June 2021 software update was fixed immediately.
Twitter said it learned about the data sale on the hacking forum from media reports and “confirmed that a bad actor had taken advantage of the issue before it was addressed.”
It said it directly notifies all account owners it can confirm were affected.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the company said.
It recommended users seeking to keep their identities veiled not add a publicly known phone number or email address to their Twitter account. “If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” it said.
The revelation of the breach comes while Twitter is in a legal battle with Tesla CEO Elon Musk over his attempt to back out from his previous offer to buy San Francisco-based Twitter for $44 billion.