The Android version of the Twitter app has a vulnerability that allows random phone numbers to be uploaded and then matched with users by the service. If you enter enough numbers, you will automatically receive the numbers of important people.
According to TechCrunch, the work is the result of research by security researcher Ibrahim Balic. He initially tried to upload a sequential set of songs to Twitter, but the system was already prepared for that. However, he managed to get through a randomized set of two billion generated phone numbers. The result was 17 million matches between phone number and Twitter account. Balic would not have reported the vulnerability to Twitter and the Twitter account of the researcher has meanwhile been suspended.
In the course of verification work, TechCrunch has tracked down a “senior Israeli politician” as well as other non-prominent users. Balic says he has informed the most important hits himself via a WhatsApp group.
In a response to TechCrunch, Twitter says it is “working to ensure this bug cannot be exploited again”. That was on Christmas Eve, so it looks like the bug is still there. It remains to be seen how exactly Twitter will solve this, since it is impossible to prove whether a telephone number is real or has been taken out of thin air by a malicious person.