Twitter says it has discovered attempts by possible state-sponsored hackers to access account holders’ telephone numbers.
The breach came to light after a security researcher found a flaw in the ‘contacts upload’ feature.
The company declined to say how many user phone numbers had been exposed, saying Twitter was unable to identify all of the accounts that may have been impacted.
In a statement published on its privacy blog, Twitter said it had identified a high volume of requests to use the feature coming from IP addresses in Iran, Israel and Malaysia.
A company spokeswoman said Twitter suspected a possible connection to state-backed actors because the attackers in Iran appeared to have had unrestricted access to Twitter, even though the network is banned there.
According to a December article in the technology publication TechCrunch, a security researcher, Ibrahim Balic, had managed to match 17 million phone numbers to specific Twitter user accounts by exploiting a flaw in the contacts feature of Twitter’s Android app.
The ‘contacts upload’ function allows people with a user’s phone number to find and connect with that user on Twitter.
It is off by default for users in the European Union where stringent privacy rules are in place. It is switched on by default for the rest of the world.
Twitter said in its statement that it has changed the feature so it no longer reveals specific account names in response to requests. It has also suspended any accounts believed to have been abusing the tool.
However, the company is not sending individual notifications to users whose phone numbers were accessed in the data leak.