Twitter Says Someone Tried to Discover the Phone Numbers Used by Potentially Millions of Subscribers
Arthur T Knackerbracket has found the following story:
In an advisory on Monday, the social network noted it had "became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers" on December 24.
That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.
The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.
It wasn't, and Twitter now says that, as well as Balic's probing, it "observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that "it is possible that some of these IP addresses may have ties to state-sponsored actors."
Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.
Read more of this story at SoylentNews.