Twitter announced Monday, February 3, 2020, that it encountered a data security incident that occurred in December of 2019. The incident revealed phone numbers of Twitter users while being matched to its respective usernames.
According to a blog post by the company, a huge number of fake accounts and bad actors exploited its API. This resulted in hackers gaining access to the said information.
Of these requests, most came from Iran, Israel, and Malaysia. However, the blog post revealed that other countries were also participating in said API exploitation. It also said, “It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
Despite failing to discuss in detail, Tech Crunch states the reason why the social media firm may have attributed the breach as a state-based attack was because the platform was not available in Iran. The social media platform was reportedly banned from use in the country.
Following the discovery, the accounts in question were immediately suspended by the social media platform.
Per the Reuters article, a Twitter company representative declined to disclose how many individuals and phone numbers have been exposed. In a statement, the spokeswoman declared that the company has yet to determine the number of affected accounts.
The incident was uncovered last December 24, 2019. Security researcher Ibrahim Balic was supposedly able to match 17 million Twitter accounts with their respective phone numbers. According to Reuters, Balic obtained this information by exploiting a vulnerability on the Android app.
BBC reports that within two months, the security researcher was able to match the phone numbers to Twitter users in different parts of the globe. These include account holders in Armenia, France, Germany, Greece, Iran, Israel, and Turkey. While Balic found the vulnerability, the security researcher reportedly did not reveal the flaw to Twitter.
Tech Crunch revealed that it was able to identify a senior Israeli politician.
The particular feature in question allows Twitter users to find a fellow user, provided they have obtained the phone number. Account-holders hailing from the European Union remain largely unaffected by the breach as it maintains a strict privacy rule. However, for all other users around the globe, the feature is automatically enabled.
Apart from suspending accounts, the company has also changed its API to prevent similar events and exploitation from happening in the future.