HackerOne covered the vulnerability back in January.
which allowed anyone to enter a phone number or email address, and then find the associated twitterID
https://counter.social/@ecksmc/109402539512886898
I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.
Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.
The option referred to here is a setting which is pretty deeply hidden within Twitter’s settings, and which appears to be on by default. Here’s a direct link.
security specialist who yesterday tweeted about the issue had their Twitter account suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction, and was confirmed right within minutes
@ecksmc fun story. I joined burd to learn more from my college instructors and their private research. I did not know about that setting.
I had a "conversation" about AI and its misuses which led to privacy violations in USA. Someone did not agree with me.
Since then my number, because of that particular setting, has been severely compromised. If I wasn't an infosec person, I have no idea what I would have done.
Ben Lovejoy
- Nov. 25th 2022 6:36 am
security specialist who yesterday tweeted about the issue had their Twitter account suspended the same day. Internationally recognized computer security expert Chad Loder predicted Twitter’s reaction, and was confirmed right within minutes
A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported
#CoSoSec
https://9to5mac.com/2022/11/25/massive-twitter-data-breach/