Social media company Twitter has issued a public statement regarding allegations that it was hacked earlier this year.
Writing in a blog post on Friday, the Elon Musk-owned platform said it learned that someone had potentially exploited a vulnerability that Twitter reportedly discovered in January and fixed in June 2022.
The flaw enabled someone submitting an email address to Twitter’s systems to find an associated phone number (if one existed) and vice versa.
According to the announcement, Twitter learned of the vulnerability having been exploited in July, with someone offering to sell the information they had compiled.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed. At the time, we notified the affected users promptly,” reads the blog post.
“As soon as we became aware of the news, Twitter’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases.”
The firm also clarified that while no passwords were exposed, Twitter prompted users to enable 2-factor authentication (2FA) to protect accounts from unauthorized logins.
“We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns.”
The news comes weeks after several C-level security and privacy executives resigned from Twitter following the Elon Musk acquisition of the social media firm.
“With all of the changes at Twitter over the previous few months and concerns about security at the site, the reports of user data leaks were understandably troubling to users, regardless of Twitter’s attempts to minimize concerns,” said Melissa Bischoping, director of endpoint security research at Tanium.
“While the leaked data may have been the result of the previously compiled data and reportedly does not contain passwords, users should still consider this a timely reminder to audit credential hygiene and multi-factor authentication enforcement on all their accounts.”