Twitter closes accounts that actively abused API bug

Twitter has shut down a network of fake accounts that abused a feature of the API to find phone numbers associated with accounts. That was a known issue discovered by a security researcher last month.

Twitter writes in a blog post that it has taken down a ‘large network of fake accounts’. That network is said to have misused Twitter’s API to find phone numbers for accounts. The feature was a feature that allowed users to find friends on the platform through their contact list, but it turned out to be possible to abuse the feature on a large scale. Techcrunch reported in December about a security researcher who had exploited the feature to link 17 million accounts to a phone number. Twitter then launched an investigation and now says a network was actively exploiting that feature. That happened on December 24 last year.

It is not known how many accounts are involved. The company says the accounts came from different countries, but that a “remarkably high number of requests” came from IP addresses in Iran, Israel and Malaysia. According to the company, it is “possible” that some of those IP addresses are linked to state hackers. Twitter has now modified the API so that exploitation is no longer possible.