An attacker took advantage of Twitter’s API security flaw to match usernames to phone numbers.
Twitter disclosed a security incident during which third-parties exploited the company’s official API to match phone numbers with Twitter usernames.
We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo
— Twitter Support (@TwitterSupport) February 3, 2020
The company said that they became aware of exploitation attempts against Twitter’s API security flaw on December 24, 2019, following a report from TechCrunch. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames.
According to Twitter, the attackers exploited a legitimate API endpoint that allows new account holders to find people they know on Twitter. The API endpoint allows users to submit phone numbers and matches them to known Twitter accounts.
The company stated that the attacks did not impact all Twitter users, but only those who enabled an option in their settings section to allow phone number-based matching.
Those who didn’t have the phone number search setting enabled are not at risk, and Twitter has provided a form for those who have further concerns. However, it may be worth assuming that scammers could, potentially, have your name and phone number, and could use your corresponding Twitter account details for nefarious purposes.