In a statement published to their privacy blog on Monday, Twitter disclosed details to a previously unknown security incident in which a third party was able to use the company's official API (Application Programming Interface) to match phone numbers with Twitter account holders.
"On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it," a statement on Twitter's privacy blog read.
The attackers were able to gain access to the system by using Twitter's legitimate API endpoint "beyond its intended use." According to the social media company, the attackers used an API endpoint that was designed to help new account holders find people they may already know on Twitter. The process works by matching phone numbers to Twitter accounts held by people who had the "Let people who have your phone number find you on Twitter" option enabled. The attacks did not affect all users - only those who had that option enabled.
"People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said.
The company became aware of the exploitation attempts on December 24 following a report published by TechCrunch that detailed the bug that allowed a security researcher match the 17 million phone numbers to public usernames. Following the report, Twitter discovered that other third-parties, besides the security researcher, had been exploiting the bug.
The social media company did not say exactly who the other third-parties were, however, they did mention that a "high volume of requests coming from individual IP addresses" were associated with Iran, Israel, and Malaysia.
"It is possible that some of these IP addresses may have ties to state-sponsored actors," Twitter wrote. "We are disclosing this out of an abundance of caution and as a matter of principle."
The company stated in its blog that they immediately made a number of changes to the API endpoint so that it would no longer return specific account names in response to queries. Any accounts found to be exploiting the API flaw were also immediately suspended.
"We’re very sorry this happened," Twitter wrote. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."