Fake Twitter accounts used to match phone numbers to users


Twitter reveals a cybersecurity issue: API feature allowed hackers to link phone numbers to user accounts

An incident in Twitter impacted users' identity

An incident in Twitter impacted users' identity

Twitter officially addressed the security incident in the report posted on Monday.[1] The social network revealed that it has discovered and fixed the issue exploited by hackers that managed to match specific phone numbers to corresponding accounts.[2] 

On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers.

The bug resided in one of the API (Application Programming Interface) features built for users to find people they already know on Twitter by matching the phone numbers saved in their phone contacts. It is known that a hacker or a group of malicious actors successfully matched nearly 17 million phone numbers to user profiles.

It worked as it supposed to for a long time until the attacker uploaded millions of random phone numbers and abused the social media platform to reveal account information and phone numbers added for security purposes.[3]

Twitter said that the attacks might have been performed by state-sponsored threat actors

The investigation revealed that additional accounts were used to exploit the vulnerable API endpoint to get access to the phone numbers disclosed on Twitter accounts. According to the report, a large number of IP addresses linked to those accounts were from Iran, Israel, and Malaysia, while a smaller amount was found distributed more evenly around the world. Investigators speculate that some of them may be related to bad actors related to the government, so disclosing the incident was “a matter of principle.”

Twitter suspended the large network of fake accounts found during the investigation and fixed the vulnerability. However, it may have been exploited by third-party actors, according to other researchers, even though Twitter did not identify them. The social network does not dismiss the possibility that state-sponsored actors may have been involved in the incident.[4]

The vulnerability fixed – no action required from the users’ side

Twitter states that social media platform issues have been addressed and bug fixed on its side, so users do not need to do anything. The number of changes has already been made to the API endpoint, so such issues cannot occur again. 

The company says that attackers exploited legitimate API but didn’t impact all Twitter users. Only those who have enabled the option to allow phone number-based search matching in their settings section might be at risk.

If you are one of them, your phone number and user name may be used in targeted phishing attacks in the future. Also, such details can be valuable for third-party hackers and scammers, so be aware if you receive any messages, DMs, or phone calls from suspicious sources.

Twitter has disclosed incidents that resided in its API features previously – which does not help the situation and only diminishes users’ trust when it comes to security. Back in 2018, Twitter fixed a bug that affected permissions dialog during the authorizing of certain applications.[5] The vulnerability left direct messages exposed to third-parties without the initial users’ knowledge.