Bargains for Under $25 HP Envy 34 All-in-One PC Review Best Fitbits T-Mobile Data Breach Settlement ExpressVPN Review Best Buy Anniversary Sale Healthy Meal Delivery Orville 'Out Star Treks' Star Trek
Want CNET to notify you of price drops and the latest stories?
No, thank you

Twitter says bad actors linked users with phone numbers

The accounts exploited the Twitter API at the end of 2019.

The incident that hit Twitter late last year is an an example of a practice called scraping. 
Angela Lang/CNET

Twitter has revealed a security incident that occurred at the end of last year, where phone numbers were matched to usernames. The company said Monday that a large number of fake accounts exploited its API to access the information. The accounts were suspended immediately.

The incident, discovered on Dec. 24, affected users who have a phone number linked to their account, and who have enabled the "let people who have your phone number find you on Twitter" option. To get the numbers, the fake accounts sent large numbers of requests to the Twitter API, software that serves as an interface between a company's back-end systems and its websites and apps.

"Someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers," a Twitter spokesperson said in an emailed statement. "After our investigation, we immediately fixed the issue by making a number of changes to the specific API endpoint that was being exploited."

It's an example of a practice called scraping, which collects huge numbers of personal data shared with social networks and other websites. Bad actors send automated requests to gather information at scale. Even though the scraped information is sometimes also public on the user's social media profile, it's typically against a company's terms of service to gather information this way. Facebook and Instagram have also seen scraping incidents that amassed large amounts of user data. The data is often found for sale on dark corners of the internet.

In the Twitter incident, the fake accounts came from multiple countries, including Iran, Israel and Malaysia, the company said. The social media giant said it's possible some of those accounts were tied to state-sponsored actors. To collect the data, the fake accounts entered in phone number after phone number, and received the corresponding Twitter username in response.

It's believed several thousand fake accounts were suspended, but Twitter couldn't provide an exact number.

Queenie Wong contributed to this story.

Originally published Feb. 3, 1:54 p.m. PT.
Update, 2:31 p.m.: Adds information on scraping and more details about the Twitter incident.