PogoWasRight.org

Menu
  • About
  • Privacy
Menu

An Incident Impacting your Twitter Account Identity

Posted on February 3, 2020 by pogowasright.org

From Twitter:

On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.

During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.

When used as intended, this endpoint makes it easier for new account holders to find people they may already know on Twitter. The endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account. People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.

After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries.  Additionally, we suspended any account we believe to have been exploiting this endpoint.

Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on stopping abuse of Twitter’s API as quickly as possible.  You can learn more about our efforts to protect Twitter from platform manipulation and state-backed activity in the Twitter Transparency Report.

We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. You can reach out to our Office of Data Protection through this form if you have questions.

Category: BreachesBusinessOnline

Post navigation

← FCC Announces Enforcement Action on Location Privacy
BULLETIN: HIPAA Privacy and Novel Coronavirus — from HHS OCR →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • South Korea fines Temu for data protection violations
  • The BR Privacy & Security Download: May 2025
  • License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows
  • FTC dismisses privacy concerns in Google breakup
  • ARC sells airline ticket records to ICE and others
  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car

RSS Recent Posts on DataBreaches.net

  • Chinese Hackers Hit Drone Sector in Supply Chain Attacks
  • Coinbase says hackers bribed staff to steal customer data and are demanding $20 million ransom
  • $28 million in Texas’ cybersecurity funding for schools left unspent
  • Cybersecurity incident at Central Point School District 6
  • Official Indiana .gov email addresses are phishing residents
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy