Skip to main content

Twitter says state-backed attackers may have nabbed phone numbers

Twitter has revealed more details about a security incident that allowed attackers to discover phone numbers attached to numerous accounts on its platform.

The process involved exploiting a feature, which, when used in the intended way, lets new sign-ups find friends who are already on Twitter by inputting their phone number. The feature works for those who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account.

The company said that during a recent investigation, it discovered and subsequently shut down a large network of fake accounts that may have been attempting to match a huge number of generated phone numbers to Twitter accounts.

It said it realized something was wrong when it observed “a particularly high volume” of attempts coming from individual IP addresses located within Iran, Israel, and Malaysia, adding, “It is possible that some of these IP addresses may have ties to state-sponsored actors.” Speaking to Reuters, a Twitter spokesperson said its team had particular concerns about Iran as the attackers seemed to have had unrestricted access to the social media platform despite it being banned in the country.

Twitter said it has now made changes to its system to prevent similar attacks in the future, and also shut down the accounts that it believed were attempting to exploit the flaw.


The issue was first exposed in December 2019 by London-based security researcher Ibrahim Balic. It seems that it was Balic’s discovery that prompted Twitter’s investigation, which led to the suspected state-backed attackers. Balic showed that he was able to match 17 million phone numbers to Twitter accounts by uploading more than 2 billion random numbers to the service. The exercise enabled him to discover the phone numbers of various high-profile Twitter users, among them politicians and officials.

The incident is the latest in a series of security mishaps to hit Twitter. Late last year, for example, the company revealed it had patched a vulnerability in its Android app that could have let malicious actors view information of private accounts and take over profiles, and even send direct messages and tweets on the target account’s behalf. Another error saw the platform reveal the tweets of protected accounts.

Announcing details of security incidents is part of Twitter’s recently launched effort to be more transparent with its community of around 330 million people globally.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Musk says some impersonation Twitter accounts face permanent ban
Twitter logo in white stacked on top of a blue stylized background with the Twitter logo repeating in shades of blue.

New Twitter owner Elon Musk said on Sunday that anyone on the platform that operates an account impersonating someone else, without stating “parody” in the profile, will be permanently suspended from the service.

In a follow-up tweet, Musk said that, while the company used to give a warning to an imitator to give them a chance to rectify the situation, there would no longer be a warning, with suspension taking place as soon as the violation was discovered.

Read more
Elon Musk to cut half of Twitter workforce, report says
tesla and spacex ceo elon musk stylized image

New Twitter owner Elon Musk is planning to cut the company's workforce by about half, insiders told Bloomberg on Wednesday.

The report said the company’s headcount will be reduced by 3,700, leaving it with about 3,800 workers to carry out its operations. Affected employees will reportedly be notified on Friday and may be given 60 days' severance pay, though the precise exit terms have yet to be confirmed.

Read more
Twitter to start charging for verification mark, reports say
Twitter symbol photo. Credits: Twitter official.

Various reports on Sunday evening suggest Twitter will soon start charging a monthly fee of between $5 and $20 for an account holder to display a blue verification badge.

The coveted check mark is given to users with accounts that Twitter defines as "authentic, notable, and active," and gives followers reassurance that the account is genuine.

Read more