Twitter users phone numbers were leaked

Twitter today issued a warning revealing that attackers abused a legitimate functionality on its platform to unauthorizedly determine phone numbers associated with millions of its users’ accounts.

According to Twitter, the vulnerability resided in one of the APIs that has been designed to make it easier for users to find people they may already know on Twitter by matching phone numbers saved in their contacts with twitter accounts.

To be noted, the feature worked precisely as intended, except someone was not supposed to upload millions of randomly generated phone numbers and abuse Twitter to reveal profiles associated with the contact information users added to Twitter for enabling security features.

Though the company is not sure if the bug was exploited by only a single adversary or multiple groups, it has identified several accounts engaged in the attack located in a wide range of countries, primarily from Iran, Israel, and Malaysia.

Based on their IP addresses, Twitter believes some of the accounts who exploited the API flaw may have ties to state-sponsored actors; thus, it is “disclosing this [incident] out of an abundance of caution and as a matter of principle.”

“We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it,” Twitter said in a blog post.

The company became aware of the issue on December 24 last year after a security researcher ‘unethically’ exploited a similar, or the same, loophole in Twitter to successfully match nearly 17 million phone numbers to their profiles.

Twitter says the social networking site has since then addressed the issue and there is no action required from the users’ side.

“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries,” Twitter said.

However, if you’re unaware, you can also stop anyone from finding your profile based on your email address or phone number by navigating to the ‘Discoverability‘ setting in your Twitter account and disable it.

If you are interested in finding these vulnerabilities then you can take our nano degree course on cybersecurity. Also, you can read the article on how cisco got pwned.

author avatar
Prashant is an entrepreneur, author, researcher, and educator. He has done his from KIIT University, masters in Cyber Security from EURECOM, France and post-masters from IIT Delhi in Entrepreneurship. He has previously worked with brands like Google, BMW, etc across the globe. He is also an electric vehicle enthusiast. Prashant has published over 10+ research papers and 1 book. His research paper was awarded the best paper in "Junior Science Congress" by then-president Dr. A. P. J Abdul Kalam.You can book him as a mentor from:

Leave A Reply

Your email address will not be published. Required fields are marked *