Twitter Suspended State-Sponsored Hacker Accounts on the Platform

• Twitter apologizes to its userbase after informing everyone that state-backed actors tried to abuse its API.
• It is assumed that a large number of Twitter users have had their names associated with their phone numbers.
• The date of the attacks almost coincides with the time that a researcher uncovered the potential to abuse Twitter’s API.

Twitter has announced that on December 24, 2019, they noticed that someone was coordinating a large number of fake accounts to abuse an API endpoint in a way that could result in the matching of usernames to phone numbers. The social media platform took immediate action to stop this attempt and initiated their investigation to figure out who was behind these attacks. Apparently, they put the blame on state-supported hackers from Israel, Malaysia, and Iran. While Twitter says the API isn’t vulnerable, it still took targeted action to secure it from abuse in the future.

We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo

— Support (@Support) February 3, 2020

The feature that requires the particular API endpoint to exist is the function that enables users to find people they know on Twitter by using their phone number. This, of course, is only possible if the user has added a phone number, so this occurrence concerns this particular category of users. If you have not provided Twitter with your phone number, then you have not been exposed. Back in December, a researcher named Ibrahim Balic presented this flaw to the world after he managed to match 17 million phone numbers with Twitter user accounts.

It just so happens that the researcher was a day late compared to the malicious actors who tried to do the same on Twitter. Or at least that’s what the social media platform is telling us right now. What they aren’t telling us is whether or not any users have been compromised as a result of this exploit, how many they are, and if they are planning to notify them of the fact. If you are a Twitter user who has added their phone number on the platform, you are advised to use this online form to address any specific questions you have to the Twitter’s Data Protection Officer.

One detail to note is that the exploit would also work for those who have enabled two-factor authentication via SMS, so if you have provided your phone number for security purposes, you may have been exposed. That said, beware of any phishing and scamming attempts, as your phone number is now a useful resource in the hands of crooks. Also, if you are using the same number to authenticate via 2FA on other platforms, you are now at risk of getting SIM-swapped and losing access to these accounts. If it’s possible, replace that number with a new and undisclosed one.