Twitter Corrects an Exploited API Endpoint That Matched Usernames, Phone Numbers

The social network suspended a large network of fake accounts

A high volume of requests came from individual IP addresses located within Iran, Israel and Malaysia
VladSt/iStock

Twitter discovered something last Christmas Eve, and it wasn’t presents under a tree.

The social network said in a blog post that it became aware of a large network of fake accounts last Dec. 24 that was exploiting its application-programming interface to match usernames to phone numbers.

The accounts were immediately suspended, and changes were made to the API endpoint that had been exploited in order to prevent similar breaches.

Twitter said in its blog post, “While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP (internet protocol) addresses located within Iran, Israel and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”

The social network said that when the affected API endpoint is used as intended, it enables new account holders to find people on Twitter whom they might already know by matching phone numbers to accounts, and that it only works for accounts that enable a setting to allow people who have their phone number to find them on Twitter.

Twitter said it immediately made changes to the endpoint so that it could no longer return specific account names in response to queries.

The social network concluded, “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and we are committed to earning that trust every day. You can reach out to our Office of Data Protection through this form if you have questions.”

Recommended articles