Oops. International cyber spies may have abused Twitter's interface to "scrape" private Twitter users' phone numbers and link them to existing Twitter accounts, Twitter announced in a blog post yesterday (February 3). ...

If you use your real name or are otherwise recognized on Twitter, this is not a big problem. But for those trying to hide their identity on the social network, it could be a devastating blow.

Political dissidents, social activists, anonymous bloggers, whistleblowers, and others who wish to remain anonymous could have their identities exposed, with potentially deadly consequences. Intelligence agencies can use cell phone numbers to target cell phones with spyware.

You may want to check your Twitter account now to see if you have been the victim of such data scraping. In the Twitter mobile app or desktop browser, go to Settings >> Privacy and Security >> Discoverability and Contacts.

If "Let people who know your phone number find you on Twitter" or "Let others find you by your phone number" is enabled, uncheck it.

We did not remember enabling this feature, yet it was checked on all our Twitter accounts. We gave our phone number to Twitter for two-factor authentication.

Twitter discovered this problem when investigating the Christmas Eve 2019 incident when it announced that white hat hacker Ibrahim Barich was able to link Twitter users to 17 million phone numbers.

"During our investigation, we discovered additional accounts that we believe may be abusing this same API endpoint beyond its intended use case," Twitter said in a blog post.

"We observed a particularly high number of requests from IP addresses located in Iran, Israel, and Malaysia. Some of these IP addresses may be associated with state-sponsored actors, in other words, intelligence agencies or spies."

Barrick's method was simple: he uploaded randomly generated phone numbers from his Android phone's contact list, one by one. (Twitter says it didn't work on the iPhone.)

If the number matched that of a Twitter user, the API would return that user's Twitter handle. The "state-sponsored actors" that Twitter noticed seemed to use a similar method.

Foolishly, Twitter should have seen this coming. It was a very simple enumeration attack, simply generating numbers and entering them into the API to retrieve sensitive data.

Facebook got into trouble in mid-2018 by allowing users to search for Facebook members by phone number, which was exploited by enumeration to create a list of otherwise unlisted cell phone numbers.

Back in 2010, a pair of hackers enumerated iPad SIM card ID numbers and scraped over 100,000 email addresses from AT&T's website; in 2018, identity protection company LifeLock was the victim of a similar attack.

In a blog post yesterday, Twitter said it had fixed the issue.

"We immediately made a number of changes to this endpoint so that it no longer returns specific account names for queries. Additionally, we suspended accounts that we believed were abusing this endpoint."

We have asked Twitter how many users may have been affected and if they have any advice for affected users. We will update this article as soon as we receive a reply.