author photo
By Bruce Sussman
Tue | Feb 4, 2020 | 4:15 PM PST

Twitter's Office of Data Protection says a security incident could impact the privacy of your account. It even apologized for the situation:

"We're very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."

Twitter API abused popular networking

A statement this week from Twitter describes the issue and the investigation.

It centers around an endpoint API which allows you to enable the "Let people who have your phone number find you on Twitter" option.

Says Twitter:

"On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it's important that you are aware of what happened, and how we fixed it. 

During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle."

The investigation into the case started after Tech Crunch wrote about a security researcher that used the vulnerability to match 17 million phone numbers to user accounts.

Twitter changes following API abuse

The social media company says it has closed this vulnerability and rooted out the accounts behind this attack:

"After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint." 

Platform manipulation on Twitter

In its announcement, Twitter made it clear this API abuse falls under prohibited actions in the platform manipulation category:

"Platform manipulation refers to the use of Twitter to mislead others and/or disrupt their experience by engaging in bulk, aggressive, or deceptive activity."

The company notes that you are not impacted by this incident if you do not have your phone number associated with your Twitter account.

This is another reminder to give as little information as necessary to open an account.

[RELATED: Insider Threat Case: Twitter Employees Bribed by Saudis]

Comments