On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.
During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.
When used as intended, this endpoint makes it easier for new account holders to find people they may already know on Twitter. The endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account. People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.
After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint.
Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on stopping abuse of Twitter’s API as quickly as possible. You can learn more about our efforts to protect Twitter from platform manipulation and state-backed activity in the Twitter Transparency Report.
We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. You can reach out to our Office of Data Protection through this form if you have questions.