Social media platform Twitter says it is unable to identify the total number of accounts impacted by a recently-identified vulnerability in the platform’s “contacts upload” feature.
With “an abundance of caution and as a matter of principle,” Twitter announced Monday that it has since addressed an issue which allowed possible state-sponsored actors with IP addresses located in Iran, Israel and Malaysia to exploit a flaw in the site’s application programming interface (API) and access a number of users’ phone numbers.
Twitter explained that while its probe revealed there were accounts in a wide range of countries that made use of the API exploit, “a particularly high volume of requests” originated from IP addresses tied to Iran, Israel and Malaysia. While it’s unclear whether the profiles were backed by those countries’ governments, they have been removed from the platform.
“If you upload your phone number, it fetches user data in return,” he told the outlet, revealing that he was able to match 17 million phone numbers with users’ accounts on Twitter.
The researcher provided TechCrunch with a sample list, and the outlet reported that it was “able to identify a senior Israeli politician using their matched phone number.”
Twitter did not give an exact figure for how many users were impacted by the possible state-backed actors’ efforts, but the company did reveal that those who had the “let people who have your phone number find you on Twitter” option selected in their settings were at risk during the time the exploit was available.