We take our responsibility to protect your privacy very seriously. In response to recent reports of a vulnerability in Twitter’s systems, we want to share a reminder about an incident that took place earlier this year and reassure you about the steps we took to remediate it.

What happened

As previously informed in August 2022, in January 2022 we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. 

In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed. At the time, we notified the affected users promptly.

In November 2022, some press reports published that Twitter users' data had been allegedly leaked online. As soon as we became aware of the news, Twitter’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022. The comparison determined that the exposed data was the same in both cases. 

How to Protect Your Account

While no passwords were exposed, we encourage everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect your account from unauthorized logins. If you’re concerned about the safety of your account, or have any questions about how we protect your personal information, you can reach out to our Office of Data protection through this form. 

We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns. Be wary of emails conveying a sense of urgency and emails requesting your private information, always double check that emails are coming from a legitimate Twitter source.