Attackers have exploited Twitter in a gigantic grab-and-go that included the personal phone numbers of as many as 17 million users.
Twitter came clean on Monday about a December hack job that exploited its API (application programming interface) by matching usernames with phone numbers via its “Let people who have your phone number find you on Twitter” option. Those who didn’t have that setting enabled lucked out, and their phone number wasn’t exposed.
"We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it,” the company confessed.
While the accounts associated with the hack were from a “wide range of countries,” Twitter’s investigation found that “a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia.” The platform says it’s possible that some of those addresses “may have ties to state-sponsored actors” and that it was disclosing that information “out of an abundance of caution and as a matter of principle.”
The Jerusalem Post says its investigation of the matter leads it to believe that former Israeli intelligence agents have found ways to gain backdoor access not only to Twitter, but a variety of social-media platforms. However, the Post stopped short of saying with certainty that agents used the techniques while they were employed by Israeli intelligence.
“There have been numerous reports that top intelligence agencies, including American ones, are sometimes able to use such techniques,” it wrote.
Make sure you’re protected
While Twitter didn’t say why it waited more than a month to go public with the phone number swindle, it did say that it made changes to users’ phone number options in hopes that a similar heist won’t happen again.
“We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. You can reach out to our Office of Data Protection through this form if you have questions.”
Twitter users can double-check to make sure their phone numbers and personal emails are safe from prying eyes. According to HackerNews, all it takes is navigating to the 'Discoverability' setting in a user’s Twitter account and disabling it.