Your secret Twitter account may no longer be secret

If you have a secret Twitter account, we've got some bad news for you.

On Friday, Twitter disclosed information about a security vulnerability that allowed someone to find out whether a specific email address or phone number is tied to an existing Twitter accounts.

"In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company wrote in a blog post Friday.

This means that, if you had someone's email address or phone number, you could easily find out whether a Twitter account was tied to that address or number. Say you had Elon Musk's address and checked this, and realized that he had an account that was different from the one he usually tweets from – boom, you've just found his secret account. Not great for anyone who wanted to tweet anonymously and/or privately.

The vulnerability was a result of Twitter's code update in June 2021, and Twitter says it "immediately" investigated and fixed it. At the time, Twitter says it has no evidence to suggest someone had taken advantage of the vulnerability.

But a seven-month window in which the vulnerability was "live" appears to have been long enough for someone to figure it out and try to profit of it. Twitter says that, in July 2022, it "learned from a press report" that someone has gathered this info and was trying to sell it online. Twitter reviewed a sample of the data, and realized that this person was indeed selling the real thing.

The press report Twitter is referring to is likely this one from Bleeping Computer, which wrote that a hacker was selling data tied to 5.4 million Twitter users for $30,000 online.

Twitter says it will be directly notifying the affected account owners. If you're one of them, there's not much you can do at this point besides not using a known phone number or email address next time you create a secret account.