Skip to main content

Twitter support flaw possibly exploited by state-sponsored groups to access user data

A recent bug with one of Twitter’s support forms has exposed user details such as phone number country code and whether accounts had been locked by Twitter. The company believes the flaw was likely used by state-sponsored actors to gain information about Twitter accounts.

As spotted by TechCrunch, Twitter posted details about the bug today on its Help Center:

We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account. We began working to resolve the issue on November 15 and it was fixed by November 16. This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.

Twitter told TC that it reported the issue to the proper authorities including the FTC, the European Union’s Data Protection Commissioner, and affected users, but didn’t say how many accounts were impacted.

As for how Twitter discovered the bug and the source of the wave of “requests,” the company believes state-sponsored actors in China and Saudi Arabia may be involved.

During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.

Twitter ended the statement by letting users know they don’t need to take any further action and offered an apology. However, there is also a data protection form that concerned users can fill out.

If you have any questions or concerns, you can contact Twitter’s Data Protection Officer, Damien Kieran, by completing the online form located here. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. We are sorry this happened.


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Michael Potuck Michael Potuck

Michael is an editor for 9to5Mac. Since joining in 2016 he has written more than 3,000 articles including breaking news, reviews, and detailed comparisons and tutorials.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications