Twitter discloses API vulnerability that allowed snoops to tie phone numbers to accounts

Twitter has made "a number of changes to the endpoint" to fix the issue.
Twitter login, Twitter authentication, twitter coronavirus

Twitter says it has beefed up security after a “large network of fake accounts” was able to match phone numbers to Twitter accounts using a vulnerability in the platform’s application programming.

The vulnerability in Twitter’s application programming interface (API), a set of protocols that govern how data interacts with a particular website, allowed someone to upload a slew of phone numbers and correlate them with user accounts.

In a statement Monday, Twitter said it became aware of the issue on Dec. 24, the day that news site TechCrunch reported on how a security researcher had matched 17 million phone numbers by exploiting Twitter’s API.

After investigating the issue, Twitter said it found other accounts that were exploiting the API endpoint. Accounts in several countries were abusing the API, but there was a particularly high volume of abuse coming from IP addresses in Iran, Israel, and Malaysia, the social media giant said.


Twitter has suspended the offending accounts and made “a number of changes to the endpoint” to fix the issue, the company said.

Only users who enabled a feature to allow others to find them on Twitter via their phone number were exposed to the issue.

This is not the first high-profile API vulnerability that Twitter has had to address. In September 2018, Twitter disclosed that its account activity API had inadvertently leaked sensitive data to other developers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts