Twitter has confirmed a data breach that exposed the information of about 5.4 million of its users last month, citing a vulnerability in its software.
The breach, which was flagged by advocacy group Restore Privacy last month, "allowed someone to enter a phone number or e-mail address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account", the microblogging site said in a statement on its website on Friday.
While San Francisco-based Twitter took responsibility for the "unfortunate" issue, it said there was no specific actions users needed to take.
It also acknowledged that it learnt of the breach "through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled". However, it did not cite Restore Privacy nor confirm that data was being sold.
"After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed," Twitter said.
No passwords were exposed, the company said. It added that it was encouraging users to enable security protocols, in particular two-factor authentication, to protect their accounts.
The breach is the latest issue to hit the company, which is currently embroiled in a bitter saga with Tesla chief executive Elon Musk after the billionaire withdrew his $44 billion bid to buy the company.
Both sides have traded barbs and are poised for a potentially lengthy and messy court battle, which is set to start in October.
Data breach costs in 2021 were estimated to have risen to $4.24 million from $3.86m, according to an annual study from US technology company IBM.
That was the highest figure in the 17-year history of the report until it was surpassed in IBM's latest 2022 update, which showed that total breach costs were now at $4.35m.
Last month, ride-sharing company Uber Technologies agreed to take responsibility for the cover-up of a data breach in November 2016 that compromised about 57 million users by entering a non-prosecution deal with the US Department of Justice.
Twitter said it could not confirm every account that was potentially affected, but will be directly notifying account owners who it can confirm have been affected by the breach.
It also issued a warning to users with pseudonymous accounts, which Twitter said can be threatened by state or other actors.
"If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened," Twitter said.
"To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or e-mail address to your Twitter account."
Twitter swung to a second-quarter net loss of more than $270m compared with a net income of nearly $65.6m in the same period a year earlier, it reported last month.