Twitter: We killed a large network of fake accounts and others for abusing API feature that matched phone numbers to usernames

Today, Twitter released a statement that says the platform has suspended a large network of fake accounts, as well as many others located in a wide range of countries, for abusing an API feature that allowed them to match phone numbers to usernames.

Here's the official tweet.

We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo

— Twitter Support (@TwitterSupport) February 3, 2020

We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia, the Twitter security bulletin says. It is possible that some of these IP addresses may have ties to state-sponsored actors, the post continued.

TechCrunch previously reported this same issue on December 24, which is also the day Twitter says that it became aware that the abuse was taking place, writes Devin Coldewey at TechCrunch.

Security researcher Ibrahim Balic found that a bug in Twitters Android app let him submit millions of phone numbers through an official API, which returned any associated user account.

Excerpt from today's TechCrunch report:

The feature is intended, if you have enabled it, to let friends who have your number look up your Twitter handle. But obviously submitting millions of numbers goes beyond its intended use case.

If you had turned this feature off, you werent affected by this bug. Fortunately for users in the EU this was opt-in there.