fbpx

Twitter Says An Attacker Used Its API To Match Usernames To Phone Numbers

Twitter Says An Attacker Used Its API To Match Usernames To Phone Numbers

Twitter shadow banning phone numbers
Twitter says that third parties exploited an API bug in its social media platform to match Twitter usernames to more than 17 million phone numbers.

Twitter disclosed a security incident where third parties used the company’s official application programming interface (API) to match Twitter usernames to more than 17 million phone numbers.

Twitter told ZDNet in an email that they became aware of exploitation attempts on Dec. 24, 2019, after a report from TechCrunch. The social media platform immediately suspended a large network of fake accounts.

Twitter also said that during its investigation into the report, it discovered that the API bug had been exploited by other third parties beyond TechCrunch, and stated that some of the IP addresses used in the API exploitation had ties to state-sponsored actors.

The attackers, according to Twitter, exploited an API endpoint that allows new account holders to find people that they may know on the social media site. The API endpoint allows the users to match phone numbers to known Twitter accounts.

However, Twitter stated that the attack only impacted the users that had enabled the option of allowing phone number matching to their accounts in the settings section of the application.

“People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,” Twitter said.

Listen to GHOGH with Jamarlin Martin | Episode 69: Jamarlin Martin

Jamarlin goes solo to unpack the question: Was Barack Obama the first political anti-Christ to rise in Black America? To understand the question, we have to revisit Rev. Wright and Obama’s decision to bring on political disciples David Plouffe, Joe Biden and Eric Holder.

It is no longer possible to query the API and have it return the username associated with a phone number.

Twitter apologized for the data leak but has not said it will contact those affected by it.