Feb. 4 (UPI) — Twitter said it has uncovered a scheme, possibly involving state-sponsored actors in Iran and Israel, to obtain telephone numbers belonging to account holders by exploiting a feature for finding friends.
In a blog post Monday, the social media platform said it discovered the flaw in its system design and has fixed it, but could not say how many user accounts might have been compromised.
“We’re very sorry this happened,” Twitter said. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
Twitter said it found the problem last month when it discovered someone was using a large network of phony accounts to exploit its “application program interface” to match usernames to phone numbers. The company said it “immediately suspended the accounts” and changed the program so that it could no longer return specific account names in response to queries about phone numbers.
During its investigation, Twitter found more accounts whose users were doing the same thing, with many of the the requests coming from within Iran, Israel and Malaysia.
“It is possible that some of these IP addresses may have ties to state-sponsored actors,” Twitter said.
A security researcher said last month he was able to match 17 million phone numbers to Twitter users’ accounts by exploiting the “contacts upload” feature on its Android mobile system app.
The researcher, Ibrahim Balic, told TechCrunch he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany over a two-month period.