**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 25, 2022, 20:56

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 25, 2022, 20:56

⇄ Σ = Mᄃ² ⇆ @[email protected]

Nov 25, 2022, 20:56

HackerOne covered the vulnerability back in January.

which allowed anyone to enter a phone number or email address, and then find the associated twitterID

https://counter.social/@ecksmc/109402539512886898

I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.

Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 25, 2022, 20:56

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 25, 2022, 20:56

Nov 25, 2022, 20:56

⇄ Σ = Mᄃ² ⇆ @[email protected]

The option referred to here is a setting which is pretty deeply hidden within Twitter’s settings, and which appears to be on by default. Here’s a direct link.

https://twitter.com/settings/contacts

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 25, 2022, 20:58

**⇄ Σ = Mᄃ² ⇆** @[email protected] · Nov 25, 2022, 20:58

Nov 25, 2022, 20:58

⇄ Σ = Mᄃ² ⇆ @[email protected]

security specialist who yesterday tweeted about the issue had their Twitter account suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction, and was confirmed right within minutes