‘State actors’ may have accessed Twitter contacts

Twitter has warned that hackers acting on behalf of governments may have accessed the phone numbers of some users.

A security researcher discovered a flaw in its contacts upload feature in December that allowed him to access the phone numbers of senior politicians.

Around that time, Twitter said it saw a “high volume of requests” to use the feature from Iran, Israel and Malaysia.

It declined to say how many users’ phone numbers had been exposed.

In a statement published on its blog Twitter said: ” It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”

It did not provide much detail on why it thought it could have been a state-based attack but one clue may lie in the fact that users in Iran appeared to have had access to the platform, even though Twitter is banned in the country.

The feature is designed to allow people who already have someone’s phone number to make contact with them on Twitter.

Mr Balic automatically generated more than two billion phone numbers and uploaded them to Twitter through the app. Over a two-month period he matched these generated numbers to users in Israel, Turkey, Iran, Greece, Armenia, France and Germany.

He did not alert Twitter to the vulnerability but included the phone numbers of high-profile Twitter users – such as politicians and officials – in a WhatsApp group in order to warn people affected directly.

The flaw was fixed by Twitter at the end of December.