Recently, the Social Networking Site – Twitter was hit by a major privacy and security incident where one of its API endpoints was exploited beyond its proposed use case. “Someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers,” as announced by Twitter. All suspicious accounts were immediately suspended.
The incident was identified on December 24th, 2019 and a public announcement was released by the Social Media Site by their support team a few days ago. During their investigation, the Twitter Team identified many fake accounts from different geographical locations were engaged in these behaviors, but the highest volume of requests from individual IPs were from Iran, Israel & Malaysia.
The aforementioned statement is a feature in Twitter which was intended to allow new account holders to find people to whom they already know on Twitter but was misused by fake accounts to extract account names from phone numbers by executing queries using the API endpoint. Additionally, users who did not have this setting enabled or do not have a phone number associated with their accounts were not affected by this vulnerability.
The Twitter team also mentioned that
“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries.”
Twitter has witnessed numerous data breach incidents in the past also, where user data was leaked. In a similar incident, the social networking site has exposed email ids and phone numbers of its users who opted for two-factor authentication to stream targeted advertisements. The company informed that
“an error in its ‘Tailored Audiences and Partner Audiences advertising system’ unintentionally used the information, provided by users, to run targeted ads.”
The social media giant was apologetic to all its user and business accounts for the mishap and stated, “Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on stopping abuse of Twitter’s API as quickly as possible.”
These incidents clearly indicate that data at transit or rest is always at risk when exposed to the cyber world.
Concerned About A Data Breach?