Twitter says it has discovered attempts by possible state-sponsored hackers to access account holders' telephone numbers. The breach came to light after a security researcher found a flaw in the "contacts upload" feature.
H/T: Sky News
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case,” the company said in a statement. “While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors.”
Twitter has since resolved the issue by patching the exploited API endpoint so that it no longer returns specific account names in query responses. The company has also suspended the individual accounts it believes were involved in the exploit.
Twitter users are able to block discovery of their phone number in the “discoverability and contacts” section of their user settings.