Twitter has revealed a security incident that occurred at the end of last year, where phone numbers were matched to usernames. Twitter discovered the issue on Dec. 24, saying Monday that a large number of fake accounts exploited its API to access the information. The accounts were suspended immediately.
The incident affected users who have a phone number linked up with their account, and who have enabled the “let people who have your phone number find you on Twitter” option. The API linking these phone numbers to usernames was exploited by the fake accounts.
“Someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers,” a Twitter spokesperson said in an emailed statement. “After our investigation, we immediately fixed the issue by making a number of changes to the specific API endpoint that was being exploited.”
The fake accounts came from multiple different countries, but mainly in Iran, Israel and Malaysia, Twitter said. The social media giant said it’s possible some of those accounts were tied to state-sponsored actors.
It’s believed several thousand accounts were affected, but Twitter could not confirm the number. It also did not immediately respond to questions on whether the malicious actors were unearthing phone numbers that were supposed to stay private, or whether any of that data was public to start with.