Twitter has disclosed a security incident in which third parties exploited its API to match phone numbers with user accounts. The company has identified and suspended a large network of fake accounts related to the incident and believes state-sponsored actors may also be involved.
The problem came to Twitter's attention on Dec. 24, 2019, when it learned someone was using a network of fake accounts to match usernames with phone numbers – a legitimate feature that, if enabled, helps users find each other on the platform. A security researcher was able to exploit a flaw in Twitter's Android app to match 17 million phone numbers with user accounts.
Following this report, Twitter launched an investigation and discovered more accounts outside the researchers' findings that may have been exploiting the same official API endpoint beyond its intended function. The company identified accounts "located in a wide range of countries" with a high volume of requests coming from individual IP addresses in Iran, Israel, and Malaysia.
"It is possible that some of these IP addresses may have ties to state-sponsored actors," Twitter said in a statement. "We are disclosing this out of an abundance of caution and as a matter of principle." Changes were made to the endpoint so it no longer returns specific account names in response to queries. Accounts believed to have been exploiting the endpoint are suspended.
Twitter account holders who disabled the option for "Let people who have your phone number find you on Twitter" are not exposed to the vulnerability; neither are those who don't have a phone number linked to their account.
Read more details here.