Twitter says state-backed actors could have accessed customers’ cellphone numbers


FILE PHOTO: The Twitter emblem and binary cyber codes are seen on this illustration taken November 26, 2019. Information/Dado Ruvic/Illustration/File Picture

SAN FRANCISCO (Information) – Twitter mentioned on Monday that it had found makes an attempt by attainable state actors to entry the cellphone numbers related to person accounts, after a safety researcher unearthed a flaw within the firm’s “contacts add” characteristic.

In a press release printed on its privateness weblog, Twitter mentioned it had recognized a “excessive quantity of requests” to make use of the characteristic coming from IP addresses in Iran, Israel and Malaysia. It mentioned, with out elaborating, that “a few of these IP addresses could have ties to state-sponsored actors.”

An organization spokeswoman declined to say what number of person cellphone numbers had been uncovered, saying Twitter was unable to establish the entire accounts that will have been impacted.

She mentioned Twitter suspected a attainable connection to state-backed actors as a result of the attackers in Iran appeared to have had unrestricted entry to Twitter, despite the fact that the community is banned there.

Tech publication TechCrunch reported here on Dec. 24 that a safety researcher, Ibrahim Balic, had managed to match 17 million cellphone numbers to particular Twitter person accounts by exploiting a flaw within the contacts characteristic of its Android app. TechCrunch mentioned it was in a position to establish a senior Israeli politician by matching a cellphone quantity by way of the software.

The characteristic, which permits individuals with a person’s cellphone quantity to seek out and join with that person on Twitter, is off by default for customers within the European Union the place stringent privateness guidelines are in place. It’s switched on by default for all different customers globally, the spokeswoman mentioned.

Twitter mentioned in its assertion that it has modified the characteristic so it not reveals particular account names in response to requests. It has additionally suspended any accounts believed to have been abusing the software.

Nevertheless, the corporate shouldn’t be sending particular person notifications to customers whose cellphone numbers had been accessed within the information leak, which data safety consultants contemplate a finest observe.

Reporting by Katie Paul; Enhancing by Leslie Adler