Twitter was informed of the security incident by one report who posted it website TechCrunch. According to the report, the API was exploited on December 24, 2019. According to the report, a researcher security abused the official Twitter API to match 17 million phone numbers with public usernames.
Twitter says that as soon as it learned about the incident, it took action and immediately closed a large network of fake accounts used for this purpose.
The social networking platform also revealed that it was conducting further research and discovered that there were others exploiting the API, in addition to the security researcher mentioned by TechCrunch.
Twitter did not specify who misused the API, but stated that some of the IPs used in attempts to exploit the API were related to state hacking groups (either governmental services information or hacking groups that are simply supported by governments).
The Twitter API error exploited by hackers
According to Twitter, the attackers exploited a legitimate one Endpoint API allowing new account holders to find people on platform of social network. The API endpoint allows users submit phone numbers and match them with bills.
According to the platform, not all users were affected but only those who had opted in settings the option to pair by phone number.
"People who have not enabled this setting or do not have a phone number linked to their account have not been affected by this vulnerability," Twitter said.
The platform said that fixed the error immediately making a number of changes to this endpoint so that no other user is affected.