Twitter recently disclosed an “incident” in how the service handles phone numbers. The announcement declared that it had shut down “a large network of fake accounts” responsible for uploading lists of phone numbers and then using Twitter’s own API to match them to individual usernames.
According to the Electronic Frontier Foundation (EFF), this is precisely the type of activity used to create reverse-lookup tools: the types of services that match specific users, or their accounts, with an otherwise random phone number.
Twitter, Facebook, and other social networks all offer the option to upload your contact list into the application to connect with other users. The APIs used to support these types of uploads often contain limitations to keep bad actors from exploiting the tools. But there’s almost always a workaround. In Twitter’s case one of the API limitations in place rejects anyone who tries to upload a list of sequential phone numbers — a clear indication that it’s not a user uploading their contacts.
But the security researchers who tipped Twitter off to the problem found a comically simple workaround: randomize the uploaded information to avoid sequential strings of numbers. This allowed them to match phone numbers to usernames for more than 17 million Twitter users, including celebrities and public officials.
So far the problem only seems to affect Twitter accounts who have a phone number associated with their account, and have “phone number discoverability” enabled in their settings. If you’re unsure, you can check the EFF’s step-by-step guide to checking your settings here.
According to Twitter, the API exploit is believed to have originated from IP addresses in Iran, Israel, and Malaysia. “It’s possible that some of these IP addresses may have ties to state-sponsored actors,” a spokesperson wrote.
It’s not the first time Twitter has mangled the handling of users’ phone numbers. In October the company fessed up to allowing advertisers to use phone numbers and email addresses — that users provided for “safety and security purposes” like two-factor authentication — to tailor audiences in its ad tracking system, known as Tailored Audiences and Partner Audiences.
A blog post announcing the issue said:
We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.
Twitter claimed the mistake was “unintentional” and “inadvertent.”