A large network of fake accounts was trying to exploit Twitter's API to match user names with phone ... [+]
This week Twitter warned that state-sponsored hackers may have accessed the phone numbers of some users. The issue was first discovered on December 24, 2019 when security researchers alerted the social media service that a large network of fake accounts was trying to exploit Twitter's API to match user names with phone numbers.
Twitter announced on Monday via a blog post that it had immediately suspended those accounts and disclosed the details of its investigation. During that investigation the company discovered additional accounts that it also believed may have been exploiting the same API.
The micro-blogging service also noted that the bogus accounts were located in "a wide range of countries engaging in these behaviors." Twitter had a particularly high volume of requests coming from individual IP addresses located within Iran, Israel and Malaysia – and Twitter suggested, "It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principal."
Twitter has not said how many users' phone numbers may have been exposed. However, last month TechCrunch had reported that security researcher Ibahim Balic was able to match some 17 million phone numbers to specific Twitter users' accounts. He was able to do so by exploiting a flaw in the Android app's contracts feature, which is designed to allow people who already have another user's phone number to make contact with them via the service.
Balic was reportedly then able to generate more than two billion phone numbers, which he uploaded to Twitter and over a two-month period those numbers were matched with users in Armenia, France, Germany, Greece, Iran and Turkey.
Plugging the Hole
Twitter addressed the flaw and fixed it at the end of December, but this still highlights how a simple coding error could leave millions of users vulnerable.
"Twitter suffering an incident regarding a network of fake accounts coordinating a mass exploit of their API to match phone numbers to Twitter profiles is extremely troubling," said Tom Chivers, digital privacy advocate at ProPrivacy.com.
"Given that the company references the possibility of the involvement of 'state-sponsored actors, 'you have to wonder what the purpose of this mass-espionage is, and how serious must it be for Twitter to confirm this so quickly," pondered Chivers. "While this news is unfortunate, it is not entirely surprising."
By providing APIs for use by developers, Twitter can often leave the door open for hackers and make situations like this one almost inevitable. However, Twitter was in fact quick to respond and has taken measures to keep this from occurring again.
"I sympathize with Twitter because they've done nothing wrong here and their quick response to this incident clearly explaining the situation is to be commended," added Chivers.
The question may be how users can best protect their data from digital services that are consistently hacked? The answer is almost obvious.
"Just don't give up this data in the first place," warned Chivers. "While Twitter recommends switching off the 'Let people who have your phone number find you on Twitter' option in their settings, I would go one further – do not freely give up your phone number to Twitter, therefore it cannot be lost. The best person to handle your data is yourself."
