"... we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. ..." https://t.co/7G7G8e9kxK

— Vahid Online (@Vahid) February 3, 2020

?

There now probably exists somewhere a list of phone numbers and account usernames. This puts 2FA security at risk for all those accounts.

Make sure your 2FA is secured via third party authorization app, not via text message https://t.co/wFDex9qxaq

— TJ Smith (@tjsmith) February 3, 2020

We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo

— Twitter Support (@TwitterSupport) February 3, 2020

Just about everyone who demands a phone number ends up misusing it. https://t.co/D8Pf93JNuQ

— Emin Gün Sirer (@el33th4xor) February 3, 2020

BREAKING: Twitter says a suspected state-sponsored actor used its API to match usernames to phone numbers

- Attack took place on December 24, 2019
- Twitter said attack came from IPs in Iran, Israel, and Malaysiahttps://t.co/EHSbpwcTsP pic.twitter.com/ulWUmfF5L6

— Catalin Cimpanu (@campuscodi) February 3, 2020

could mean many Iranian users were at risk:
twitter says some ppl were using large network of fake acc's to exploit its API & match usernames to phone numbers- high vol of such requests coming from addresses in Iran, Israel, & Malaysia, w/ possible ties to state-sponsored actors. https://t.co/TAjKs1dMeR

— Hadi Nili (@HadiNili) February 3, 2020

I don't understand. The attack worked only against users who configured accounts to be matched to their phone number. That means these users chose to allow people to match phone numbers to accounts, right? If so, how is this an attack? What am I missing? https://t.co/uoHopZHtoi

— Dan Goodin (@dangoodin001) February 4, 2020

Twitter has really hashed up this disclosure. No wonder initial reports got this wrong. Twitter still needs to explain its attribution here.

My @TechCrunch colleague, who isn't on Twitter (lucky him) has an accurate understanding of what went on. https://t.co/rwzPLqnhVc

— Zack Whittaker (@zackwhittaker) February 3, 2020

Twitter data breach. Only potentially impacted when you have the option “let people who have your phone number find you...” enabled and your phone number set in Twitter. Remove your phone number, better safe than sorry! it’s not needed anymore for 2FA anyway #Infosec #GDPR https://t.co/K9v0u1COrr

— John Opdenakker (@j_opdenakker) February 3, 2020

Twitter’s & @jack’s stunning failure to protect users’ privacy is a matter of life & death for human rights advocates & journalists around the world. Twitter must urgently notify those compromised by these attacks—their safety & freedom could be at immediate risk. https://t.co/NVhPObRTEf

— Richard Blumenthal (@SenBlumenthal) February 4, 2020

Twitter admits to a bug that might have put privacy-conscious users at risk – by revealing what phone numbers are associated with which Twitter accounts. https://t.co/rom9dP4QQv via @InfoSecHotSpot pic.twitter.com/4UHL28AoLW

— Sean Harris (@InfoSecHotSpot) February 4, 2020

Twitter security hole allowed state-sponsored hackers to match phone numbers to usernames https://t.co/VHrAwkl7jg via gcluley

— BrianHonan (@BrianHonan) February 4, 2020

Given that Twitter has been compromising phone numbers - https://t.co/Wj6qNwTZk1 - Islamicat recommend enabling an authentication app for your account, rather than just text messaging (see pic) pic.twitter.com/8zM12IaIQR

— Islamicat ??? (@_Islamicat) February 4, 2020

Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits https://t.co/mxtagwWxO1 #infosec pic.twitter.com/8frrW0u4gU

— #AI (@AI__TECH) February 4, 2020

Huch! https://t.co/nV54ZkgVzx

— lackgestiefelter Kater (@lackkater) February 4, 2020

Twitter has suspended a large number of fake accounts that were exploiting an API vulnerability to match usernames to phone numbers. https://t.co/C6q2VjGb6L

— Eduard Kovacs (@EduardKovacs) February 4, 2020

Twitter has shut down “a large network of fake accounts" abusing a feature that let them match phone numbers to user accounts. Some of them appear to be associated with a state-sponsored campaign run out of Iran. https://t.co/Z00MScynld

— Caroline Orr (@RVAwonk) February 4, 2020

Twitter says state-backed actors may have accessed users' phone numbers

Twitter said it had identified a “high volume of requests” to use the feature coming from IP addresses in Iran, Israel and Malaysia.https://t.co/8LyB34Yg6D

— Anthony DeRosa? (@Anthony) February 4, 2020

Twitter says ‘state-backed actors’ may have exploited a flaw in a feature of its Android app to access users’ phone numbers, adding it had identified a ‘high volume of requests’ coming from IP addresses in Iran, Israel and Malaysia https://t.co/Cusm3VQcG8 pic.twitter.com/n2do4BTfED

— Reuters Business (@ReutersBiz) February 4, 2020

Twitter says state-backed actors may have accessed users' phone numbers https://t.co/qKeyJxW6UB

— Reuters Iran (@ReutersIran) February 4, 2020

Surprise, surprise....?

Twitter says state-backed actors may have accessed users' phone... https://t.co/THnuxNPcZn

— Rise Up (@sara8smiles) February 4, 2020

Nation states may have accessed @Twitter
User phone numbers, yet no user notification from @Twitter
In direct violation of UK & EU GDRP data privacy regulations
cc: @ICOnewshttps://t.co/EOCi8W8DRe

— Chris Kubecka ?? Speaker @Disobey_fi ✈️ (@SecEvangelism) February 4, 2020

Twitter Data Breach: Govt Accounts Tried To Access User Phone Numbers

In privacy blog update on Monday(Feb 3), Twitter said that it fixed a data breach that was using a large network of fake accounts to exploit its API & match usernames to phone numbers https://t.co/DElU1Az9eA

— PrivacyDigest (@PrivacyDigest) February 4, 2020

Twitter says state-actors may have gained access to people's phone numbers #Twitter #Hack https://t.co/G3nGVWnPVt pic.twitter.com/dLwF4o5REF

— Neowin (@NeowinFeed) February 4, 2020