SUMMARY
The company said that it became aware of the concern on December 24, 2019
Twitter suspended the accounts exploiting its API
A large network of fake accounts was being used to exploit its API and match usernames to phone numbers
In a privacy blog update on Monday(February 3), the social networking company Twitter said that it has fixed a data breach that was using a large network of fake accounts to exploit its API and match usernames to phone numbers.
The company said that it became aware of the concern on December 24, 2019 and immediately suspended these accounts. The company in its investigation discovered additional accounts that it believes may have been exploiting this same API endpoint beyond its intended use case.
“While we identified accounts located in a wide range of countries engaging in these behaviours, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” Twitter said.
The company said it is also possible that some of these IP addresses may have ties to state-sponsored actors. It said that when used as intended, this endpoint makes it easier for new account holders to find people they may already know on Twitter.
The endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account. Twitter emphasised that people who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.
The company said that after the investigation, it immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, Twitter also suspended any account it believes has been exploiting this endpoint.
This is yet another data breach at Twitter in the last few months. In December 2019, Twitter admitted that a malicious code was inserted into its mobile-app that may have compromised some user’s information. The privacy breach was said to have taken place worldwide, including India.
Prior to this in November 2019, the Indian computer emergency response team (Cert-In) found that malicious third-party applications have reportedly leaked personal data of Facebook and Twitter users. The Cert-In’s advisory read that these third-party applications, violating the privacy policy of these social media companies, installed some software in mobile applications of Facebook and Twitter which gathered and shared information to two companies — OneAudience and Mobiburn.
In October 2019, Twitter confirmed that user data like email addresses and phone numbers provided by users for security purposes may have been unintentionally used for advertising purposes.
However, at the same time, Twitter continues to claim to work on protecting user privacy. In November 2019, Twitter had also come up with a draft policy to curb fake and manipulated content that purposely tries to mislead or confuse people. It had called this phenomenon deepfake or shallow fake and had sought public opinion on it.
In May 2019, India was reported as the second most cyberattacks affected country between 2016 to 2018. The average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record amounting to INR 4,552 ($64).
The Reserve Bank of India too recorded a total of 2,059 cases of cyber fraud in 2017-18 as compared to 1,372 cyber fraud cases in 2016-17.
