Twitter security hole allowed state-sponsored hackers to match phone numbers to usernames

Graham Cluley
@gcluley

Twitter has gone public about what it describes as “an incident” that directly impacted the privacy of users:

“On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.”

“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”

Sign up to our newsletter
Security news, advice, and tips.

In other words, unauthorised third parties – who were possibly working for national intelligence agencies – were exploiting a Twitter bug at a grand scale, in an attempt to confirm the phone numbers of Twitter users of interest to them.

The bug itself first became public knowledge on Christmas Eve, when TechCrunch reported on the findings of security researcher Ibrahim Balic.

Balic had discovered that he could generate two billion phone numbers and upload them to Twitter through its official Android app. If the phone numbers in the uploaded lists were not in sequential order, but instead randomized, Twitter’s API would happily fetch information about whichever Twitter user was linked to the number. Balic managed to match 17 million phone numbers to specific Twitter accounts by exploiting the flaw.

Following the publication of the article in TechCrunch it appears that other unknown parties abused the same flaw in an attempt to gather a huge amount of sensitive data about which account was associated with which phone number. Clearly that potentially raises huge privacy issues, and could present a very real danger for some Twitter users living in some countries.

After all, if someone knows your phone number – you can’t really consider yourself anonymous any more.

Not all Twitter users will have been at risk. Specifically, the only users affected would have been those who had chosen the setting to “Let people who have your phone number find you on Twitter”.

It’s too late now to prevent the data breach that happened in December, but personally my advice would be to turn that option off. Depending on your circumstances you may also wish to disable discoverability via your email address too.

Twitter says that after the attack it made changes to its systems so that it can “no longer return specific account names in response to queries.”

Now the big question that remains is who was so keen to collect this private information about Twitter users, and what do they plan to do with it?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.