Twitter has gone public about what it describes as “an incident” that directly impacted the privacy of users:
“On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.”
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
In other words, unauthorised third parties – who were possibly working for national intelligence agencies – were exploiting a Twitter bug at a grand scale, in an attempt to confirm the phone numbers of Twitter users of interest to them.
The bug itself first became public knowledge on Christmas Eve, when TechCrunch reported on the findings of security researcher Ibrahim Balic.
Balic had discovered that he could generate two billion phone numbers and upload them to Twitter through its official Andro ..
Support the originator by clicking the read the rest link below.
