Security Experts:

Connect with us

Hi, what are you looking for?



Twitter Suspends Fake Accounts for Exploiting API Vulnerability

Twitter on Monday announced that it has suspended a large number of fake accounts that had exploited an API vulnerability to match usernames to phone numbers.

Twitter on Monday announced that it has suspended a large number of fake accounts that had exploited an API vulnerability to match usernames to phone numbers.

The social platform initially discovered the issue on December 24, when it suspended a large network of such fake accounts, but revealed the details on the incident only this week, after an investigation that led to the identification of additional accounts engaged in the same illicit activity.

The fake accounts were exploiting a feature meant to help users with newly created accounts find people they might already know on the online platform.

The feature was designed to match phone numbers to those accounts that had previously enabled the “Let people who have your phone number find you on Twitter” option, and which also had a phone number associated to them.

Users who did not enable the option to let others find them on Twitter via the phone number, or those who did not have a phone number associated with their Twitter account, were not exposed to this attack.

This means that those who added a phone number to their accounts for security purposes, such as two-factor authentication (2FA), might have not been impacted. Previously, Twitter admitted to have “inadvertently” used phone numbers and email addresses meant for 2FA for advertising purposes.

In a blog post on Monday, Twitter said the network of fake accounts exploiting its feature was spread across a wide range of countries.

“We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle,” Twitter revealed.

The company also explained that, in addition to suspending all accounts suspected to have abused the feature, it made a series of changes to ensure that the option would no longer return specific account names in response to queries.

“The security vulnerability in question is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, told SecurityWeek in an emailed comment. “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”

On December 24, TechCrunch ran a story revealing how security researcher Ibrahim Balic was able to exploit a vulnerability in Twitter for Android and match 17 million phone numbers to usernames. The researcher abused the flaw for two months before Twitter blocked him.

Related: Vulnerability in Twitter App Enabled Hackers to Obtain Information, Control Accounts

Related: Twitter Admits Phone Numbers Meant for Security Used for Ads

Related: Twitter, Facebook Target State-Linked Accounts Made to Manipulate

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...