Twitter has gone public about what it describes as “an incident” that directly impacted the privacy of users:
“On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.”
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
In other words, unauthorised third parties – who were possibly working for national intelligence agencies – were exploiting a Twitter bug at a grand scale, in an attempt to confirm the phone numbers of Twitter users of interest to them.
The bug itself first became public knowledge on Christmas Eve, when TechCrunch reported on the findings of security researcher Ibrahim Balic.
Balic had discovered that he could generate two billion phone numbers and upload them to Twitter through its official Android app. If the phone numbers in the uploaded lists were not in sequential order, but instead randomized, Twitter’s API would happily fetch information about whichever Twitter user was linked to the number. Balic managed to match 17 million phone numbers to specific Twitter accounts by exploiting the flaw.
Following the publication of the article in TechCrunch it appears that other unknown parties abused the same flaw in an attempt to gather a huge amount of sensitive data about which account was associated with which phone number. Clearly that potentially raises huge privacy issues, and could present a very real danger for some Twitter users living in some countries.
After all, if someone knows your phone number – you can’t really consider yourself anonymous any more.
Not all Twitter users will have been at risk. Specifically, the only users affected would have been those who had chosen the setting to “Let people who have your phone number find you on Twitter”.
It’s too late now to prevent the data breach that happened in December, but personally my advice would be to turn that option off. Depending on your circumstances you may also wish to disable discoverability via your email address too.
Twitter says that after the attack it made changes to its systems so that it can “no longer return specific account names in response to queries.”
Now the big question that remains is who was so keen to collect this private information about Twitter users, and what do they plan to do with it?