February 4, 2020

Twitter said Monday that it had discovered attempts by possible state actors to access the phone numbers associated with user accounts, after a security investigator discovered an error in the company’s “upload contacts” feature. In a statement published on its privacy blog, Twitter said it had identified a “large number of requests” to use the feature that came from IP addresses in Iran, Israel, and Malaysia. It said, without working out, “some of these IP addresses may have links with government-sponsored actors.”

A company spokeswoman refused to say how many phone numbers of users were exposed, and said that Twitter was unable to identify all accounts that might have been affected. She said that Twitter suspected a possible connection with state-backed actors because the Iranian attackers seemed to have unlimited access to Twitter, even though the network was banned there.

Technical publication TechCrunch reported on December 24 that a security researcher, Ibrahim Balic, had managed to link 17 million phone numbers to specific Twitter user accounts by exploiting an error in the contact function of his Android app. TechCrunch said it was able to identify a senior Israeli politician by matching a phone number through the tool.

The feature that allows people with a user’s phone number to find and connect to that user on Twitter is disabled by default for users in the European Union where strict privacy rules apply. It is enabled by default for all other users worldwide, the spokeswoman said.

Twitter said in its statement that it has changed the function so that it no longer discloses specific account names in response to requests. It has also suspended all accounts that are believed to have misused the tool. However, the company does not send individual notifications to users whose phone numbers were used to leak data, which are considered good practice by information security experts.

