Gennie Gebhart of EFF has a how-to protect your phone number in the wake of a breach that Twitter revealed this past week:
The bad news is that Twitter has disclosed a failure to protect users’ phone numbers, again. The good news is that Twitter users can take steps to protect themselves.
Earlier this week, Twitter announced it had discovered and shut down “a large network of fake accounts” that were uploading large numbers of phone numbers and using tools in Twitter’s API to match them to individual usernames. This type of activity can be used to build a reverse-lookup tool, to find the phone number associated with a given username.
These tools in Twitter’s API can only match phone numbers to Twitter accounts for those who 1) have “phone number discoverability” turned on in their settings and 2) have a phone number associated with their account. If neither of those are true for you, then your account was not exposed by this problem. Here’s how to check your settings and make sure they are where you want them:
1. To check your discoverability settings, head to the Privacy and safety section of your account settings, then scroll down a bit and select Discoverability and contacts—or just go to https://twitter.com/settings/contacts.
2. You want “Let people who have your phone number find you on Twitter” unchecked. (And while you’re at it, make sure “Let people who have your email address find you on Twitter” is unchecked, too.) Unless you are in the EU, where the GDPR requires that features like this be opt-in, these are both checked by default.
3. To check whether or not you have a phone number associated with your account, go to the Account section of your settings and select Phone—or just go to https://twitter.com/settings/phone.
4. If you see a phone number there that you do not want associated with your profile, click Delete phone number.
There are a number of reasons you might have a phone number here: you may have added it when you signed up (Twitter sometimes requires phone numbers for new accounts), or when you turned on SMS-based two-factor authentication. Note that, even if you disable two-factor authentication, the phone number you used for it will still be hanging around in your account information, and you’ll have to go to that “Phone” section to affirmatively delete it from your account.
Most egregiously on Twitter’s part, you may also have a phone number in your account because Twitter made you put it there to prove you’re not a spammer. When Twitter marks an account as a “bot,” it may require the account holder to provide a phone number to unlock and get back into their account.
If Twitter is going to make users provide this sensitive identifying information to create and even regain access to their accounts, it has a responsibility to protect that information—and it has not fulfilled that responsibility.