Twitter reveals ‘someone’ was using a large network of fake accounts to exploit their API and match usernames to phone numbers.
When used as intended, the affected API endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account.
People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability. The platform claims the predicament has been fixed and disseminates more information about their investigation.
The network of accounts has been suspended, although during the investigation they found additional accounts that they believe may have been exploiting this same API endpoint beyond its intended use case.
Identified accounts are located in a wide range of countries but particularly high volume of requests was coming from individual IP addresses located within Iran, Israel, and Malaysia. It is also possible that some of these IP addresses may have ties to state-sponsored actors.
Any account believed to have been exploiting this endpoint has been suspended. Twitter has also made changes to this endpoint after the incident. You can reach out to Twitter’s Office of Data Protection through this form if you have questions.