Twitter has revealed a security incident that occurred at the end of last year, where phone numbers were matched to usernames. The company said Monday that a large number of fake accounts exploited its API to access the information. The accounts were suspended immediately.
The incident, discovered on Dec. 24, affected users who have a phone number linked to their account, and who have enabled the “let people who have your phone number find you on Twitter” option. To get the numbers, the fake accounts sent large numbers of requests to the Twitter API, software that serves as an interface between a company’s back-end systems and its websites and apps.
“Someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers,” a Twitter spokesperson said in an emailed statement. “After our investigation, we immediately fixed the issue by making a number of changes to the specific API endpoint that was being exploited.”
It’s an example of a practice called scraping, which collects huge numbers of personal data shared with social networks and other websites. Bad actors send automated requests to gather information at scale. Even though the scraped information is sometimes also public on the user’s social media profile, it’s typically against a company’s terms of service to gather information this way. Facebook and Instagram have also seen scraping incidents that amassed large amounts of user data. The data is often found for sale on dark corners of the internet.
In the Twitter incident, the fake accounts came from multiple countries, including Iran, Israel and Malaysia, the company said. The social media giant said it’s possible some of those accounts were tied to state-sponsored actors. To collect the data, the fake accounts entered in phone number after phone number, and received the corresponding Twitter username in response.
It’s believed several thousand fake accounts were suspended, but Twitter couldn’t provide an exact number.