X

Twitter says bad actors linked users with phone numbers

The accounts exploited the Twitter API at the end of 2019.

Corinne Reichert Senior Editor
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News, mobile, broadband, 5G, home tech, streaming services, entertainment, AI, policy, business, politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
See full bio
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Corinne Reichert
Laura Hautala
2 min read
twitter-logo-2

The incident that hit Twitter late last year is an an example of a practice called scraping. 

 Angela Lang/CNET

Twitter has revealed a security incident that occurred at the end of last year, where phone numbers were matched to usernames. The company said Monday that a large number of fake accounts exploited its API to access the information. The accounts were suspended immediately.

The incident, discovered on Dec. 24, affected users who have a phone number linked to their account, and who have enabled the "let people who have your phone number find you on Twitter" option. To get the numbers, the fake accounts sent large numbers of requests to the Twitter API, software that serves as an interface between a company's back-end systems and its websites and apps.

"Someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers," a Twitter spokesperson said in an emailed statement. "After our investigation, we immediately fixed the issue by making a number of changes to the specific API endpoint that was being exploited."

It's an example of a practice called scraping, which collects huge numbers of personal data shared with social networks and other websites. Bad actors send automated requests to gather information at scale. Even though the scraped information is sometimes also public on the user's social media profile, it's typically against a company's terms of service to gather information this way. Facebook and Instagram have also seen scraping incidents that amassed large amounts of user data. The data is often found for sale on dark corners of the internet.

In the Twitter incident, the fake accounts came from multiple countries, including Iran, Israel and Malaysia, the company said. The social media giant said it's possible some of those accounts were tied to state-sponsored actors. To collect the data, the fake accounts entered in phone number after phone number, and received the corresponding Twitter username in response.

It's believed several thousand fake accounts were suspended, but Twitter couldn't provide an exact number.

Queenie Wong contributed to this story.

Originally published Feb. 3, 1:54 p.m. PT.
Update, 2:31 p.m.: Adds information on scraping and more details about the Twitter incident.

Read also

Mobile Guides

Phones
Foldable Phones
Headphones
Mobile Accessories
Smartwatches
Wireless Plans
Mobile coupons