Twitter has announced that it has found attempts by hackers to access phone numbers registered with user accounts. The social network became aware of the attack on December 24, 2019, and said that a large number of fake accounts were attempting to exploit its API to match usernames to phone numbers.
Twitter believes that the attack could be state-backed because it observed a high volume of requests coming from individual IP addresses located in Iran, Israel, and Malaysia but beyond that, it’s unclear who the perpetrator is. It said that it was disclosing the possible link to a state “out of an abundance of caution and as a matter of principle.”
The feature is supposed to let new users upload their contact book to find their friends and family already registered on the platform. Users that don’t want to be found in this way can disable the option. Twitter said that users who had the option disabled in the first place or do not have a phone number associated with their account were not affected by this vulnerability.
To address the problem, Twitter has altered the feature so that specific account names are no longer given in response to queries. It has also suspended accounts that were found to be making use of this exploit. The company said that it is “very sorry” for what has happened.