Twitter told ZDNet in an email that they became aware of exploitation attempts on Dec. 24, 2019, after a report from TechCrunch. The social media platform immediately suspended a large network of fake accounts.
Twitter also said that during its investigation into the report, it discovered that the API bug had been exploited by other third parties beyond TechCrunch, and stated that some of the IP addresses used in the API exploitation had ties to state-sponsored actors.
The attackers, according to Twitter, exploited an API endpoint that allows new account holders to find people that they may know on the social media site. The API endpoint allows the users to match phone numbers to known Twitter accounts.
However, Twitter stated that the attack only impacted the users that had enabled the option of allowing phone number matching to their accounts in the settings section of the application.
“People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,” Twitter said.
Listen to GHOGH with Jamarlin Martin | Episode 69: Jamarlin Martin
Jamarlin goes solo to unpack the question: Was Barack Obama the first political anti-Christ to rise in Black America? To understand the question, we have to revisit Rev. Wright and Obama’s decision to bring on political disciples David Plouffe, Joe Biden and Eric Holder.
It is no longer possible to query the API and have it return the username associated with a phone number.
Twitter apologized for the data leak but has not said it will contact those affected by it.