Twitter recently announced that on December 24, 2019, it became aware of a large network of fake accounts that were abusing the company’s API to match phone numbers to user’s accounts. Twitter noted that these attacks may be connected to state-sponsored actors from Iran, Israel, and Malaysia.
The API endpoint being targeted was designed to allow the owners of new Twitter accounts to easily discover their friends on the platform. The API does this by matching phone numbers to accounts that have enabled the setting. By utilizing a large network of fake accounts it is believed that the suspected attackers were able to take advantage of this feature and aggregate a significant amount of phone numbers (and associated account information). A large number of the requests were coming from individual IP addresses based in Iran, Israel, and Malaysia.
When the company became aware of the situation it claims that it immediately suspended the accounts associated with the attack. Additionally, the API has been modified so that it could no longer return specific account names in response to queries. Twitter believes that this will prevent any future manipulation of the APIs intended usage. The company didn’t mention how many accounts were affected or provide any other methods for estimating scale. The initial reporting by TechCrunch that alerted Twitter to the issue claims that a security researcher was able to connect 17 million phone numbers to their associated accounts.