Twitter says state-backed attackers may have nabbed phone numbers

Twitter has revealed more details about a security incident that allowed attackers to discover phone numbers attached to numerous accounts on its platform.

The process involved exploiting a feature, which, used in the intended way, lets new sign-ups find friends who are already on Twitter by inputting their phone number. The feature works for those who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account.

The company said that during a recent investigation, it discovered and subsequently shut down a large network of fake accounts that may have been attempting to match a huge number of generated phone numbers to Twitter accounts.

It said it realized something was wrong when it observed “a particularly high volume” of attempts coming from individual IP addresses located within Iran, Israel, and Malaysia, adding, “It is possible that some of these IP addresses may have ties to state-sponsored actors.” Speaking to Reuters, a Twitter spokesperson said its team had particular concerns about Iran as the attackers seemed to have had unrestricted access to the social media platform despite it being banned in the country.

Twitter said it has now made changes to its system to prevent similar attacks in the future, and also shut down the accounts that it believed were attempting to exploit the flaw.

Background

The issue was first exposed in December 2019 by London-based security researcher Ibrahim Balic. It seems that it was Balic’s discovery that prompted Twitter’s investigation, which led to the suspected state-backed attackers. Balic showed that he was able to match 17 million phone numbers to Twitter accounts by uploading more than two billion random numbers to the service. The exercise enabled him to discover the phone numbers of various high-profile Twitter users, among them politicians and officials.

The incident is the latest in a series of security mishaps to hit Twitter. Late last year, for example, the company revealed it had patched a vulnerability in its Android app that could have let malicious actors view information of private accounts and take over profiles, and even send direct messages and tweets on the target account’s behalf. Another error saw the platform reveal the tweets of protected accounts.

Announcing details of security incidents is part of Twitter’s recently launched effort to be more transparent with its community of around 330 million people globally.

Related posts

Latest posts

Sundar Pichai says even more AI is coming to Google Search in 2025

Google looks to incorporate AI features more deeply into its Search products in 2025 as part of its $75 billion AI plan, CEO Sundar Pichai told investors Wednesday.

Google brings second-gen AI models to the Gemini mobile app

The latest Gemini 2.0 Flash model can interact with other Google apps and comes with reasoning chops, while the Gemini 2.0 Pro model excels at math and coding.

How to get two OnePlus smartphones for the price of one!

If you’ve been waiting to upgrade phones, this OnePlus deal might be of interest. Get the OnePlus Nord N30 for free when you purchase the OnePlus 12!

Apple’s AI-focused M5 chip enters mass production

Reports indicate that TSMC and other semiconductor companies have been working on the M5 chip series since last month.

Samsung Galaxy S25 Ultra vs. Google Pixel 9 Pro XL: Clash of titans

If you're looking for a new phone for yourself or someone you love and having trouble choosing between the Samsung Galaxy S25 Ultra and Google Pixel 9 Pro XL, let us save you the trouble with this guide.

TikTok is fast becoming a pawn in US-China relations

TikTok's survival in the United States might be tied to new trade agreements between China and the U.S.

Samsung users, beware: One UI 7 could jumble your home screen

If you upgrade to One UI 7, you might have to spend a few minutes rearranging your home screen. Thankfully, it has a tool that makes that easier.

Screenshot-reading malware cracks iPhone security for the first time

"This case once again shatters the myth that iOS is somehow impervious to threats posed by malicious apps targeting Android,” says Kaspersky’s analysis.

Google says quantum computing applications are five years away

Google's head of quantum thinks we could get real-world applications of quantum computing in just five years, while Nvidia claims it's more like 20.

Texas brings the ban hammer down on DeepSeek and RedNote

Texas Governor, Greg Abbott has banned the AI chatbot DeepSeek for state-issued devices, sighting data privacy and national security concerns.