“While we identified accounts located in a wide range of countries engaging in these behaviours, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” Twitter said in a blog post on Monday.
“It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle,” the social media platform said.
In December last year, security researcher Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature, TechCrunch reported.
He claimed that he matched 17 million phone numbers to user accounts – including high-profile politicians and officials.
“If you upload your phone number, it fetches user data in return,” he was quoted as saying.
In one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number.
“We’re very sorry this happened. We recognise and appreciate the trust you place in us, and are committed to earning that trust every day,” Twitter said in the blog post.
Over a two-month period, Balic began alerting users directly and when Twitter came to know, the micro-blogging platform blocked his efforts on December 20.
Balic had created a WhatsApp group to alert users.
He generated more than two billion phone numbers, one after the other, then randomised the numbers, and uploaded them to Twitter through the Android app.
The bug did not exist in the web-based upload feature.
Twitter said that the vulnerability affected those people who enabled the “Let people who have your phone number find you on Twitter” option and who had a phone number associated with their Twitter account.
“People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,” Twitter said.
“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint,” it added.