Twitter has this week revealed that it recently detected a potential security vulnerability in its account matching systems which may have exposed people's personal identifying information via the app.
As explained by Twitter:
"On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation, because we believe it’s important that you are aware of what happened, and how we fixed it."
When you first sign-up for a Twitter account, Twitter provides an option where you can cross-match your existing phone and email contacts with Twitter's database, in order to find people that you might already know on the platform - you can update this at any time by going to: 'Settings and Privacy'>'Privacy and Safety'>'Discoverability and Contacts'
Both of these options are active by default, enabling those people with your phone number (or the one attached to your account) to find your Twitter profile - meaning, ideally, the people that you know in real life. Tap on 'Manage Contacts' at the bottom and you can refresh your contacts listing at any time, in order to find the profiles of anyone listed in your email and phone contacts.
The feature is handy for building your connections from scratch, but as Twitter has now found, hackers can also use it to gather personal data.
"We identified accounts located in a wide range of countries engaging in these behaviors, [including] a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle."
Theoretically, through this process, scammers could get your name and phone number, which they could then use to blackmail you with information posted via your Twitter account, or dupe less tech-savvy people with personal information that they glean from your profile. As a basic example, someone could call you on your birthday, as listed on your Twitter profile, and offer you a deal, which may sound more credible as they know the right date.
And as noted by TechCrunch, with many people also using their phone number for two-factor authentication, it could also enable them, potentially, to access your account.
Twitter says that it's now made changes to its system so that it can no longer return specific account names in response to queries.
"Additionally, we suspended any account we believe to have been exploiting this endpoint."
So the functionality still exists, but Twitter is limiting its capacity to stop scammers using it for such purpose. There's no word on how many accounts were potentially exposed via this potential breach.
Those who didn't have the phone number search setting enabled are not at risk, and Twitter has provided a form for those who have further concerns. But it may be worth noting that scammers could, potentially, have your name and phone number, and could use your corresponding Twitter account details for nefarious purpose.