Twitter has warned that hackers acting on behalf of governments may have accessed the phone numbers of some users.
A security researcher discovered a flaw in its contacts upload feature in December that allowed him to access the phone numbers of senior politicians.
Around that time, Twitter said it saw a “high volume of requests” to use the feature from Iran, Israel and Malaysia.
It declined to say how many users’ phone numbers had been exposed.
In a statement published on its blog Twitter said: ” It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
It did not provide much detail on why it thought it could have been a state-based attack but one clue may lie in the fact that users in Iran appeared to have had access to the platform, even though Twitter is banned in the country.
Phone numbers
In December, TechCrunch reported that security researcher Ibrahim Balic had managed to match 17 million phone numbers to specific Twitter users accounts by exploiting a flaw in the contacts feature in Twitter’s Android app.
The feature is designed to allow people who already have someone’s phone number to make contact with them on Twitter.
Mr Balic automatically generated more than two billion phone numbers and uploaded them to Twitter through the app. Over a two-month period he matched these generated numbers to users in Israel, Turkey, Iran, Greece, Armenia, France and Germany.
He did not alert Twitter to the vulnerability but included the phone numbers of high-profile Twitter users – such as politicians and officials – in a WhatsApp group in order to warn people affected directly.
The flaw was fixed by Twitter at the end of December.
In its blog post it said it had now made changes to the feature so it no longer returned specific account names in response to queries.
“We’re very sorry this happened,” it said.
