In a statement published today, Twitter disclosed a security incident during which third-parties exploited the company's official API (Application Programming Interface) to match phone numbers with Twitter usernames.
In an email seeking clarifications about the incident, Twitter told ZDNet that they became aware of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames.
Twitter says that following this report it intervened and immediately suspended a large network of fake accounts that had been used to query its API and match phone numbers to Twitter usernames.
During its investigation into the report, the social network told ZDNet that it also discovered additional evidence that this API bug had also been exploited by other third-parties, beyond the security researcher at the heart of the TechCrunch report.
Twitter did not clarify who these third-parties were, but it did say that some of the IP addresses used in these API exploitation attempts had ties to state-sponsored actors, a term used to described either government intelligence agencies, or third-party hacking groups that benefit from a government's backing.
The company said it is disclosing today the findings of its investigation "out of an abundance of caution and as a matter of principle."
The Twitter API bug that was abused in the attack
According to Twitter, the attackers exploited a legitimate API endpoint that allows new account holders to find people they know on Twitter. The API endpoint allows users to submit phone numbers and matches them to known Twitter accounts.