In an odd turn of events, Twitter is implicating state-sponsored hackers from Malaysia, Israel and Iran of abusing a feature that allowed users to be discovered by others who have their phone number. The social media company says it made changes to the feature so that it doesn’t return specific account names anymore.
On 24 December 2019, the company became aware that someone was using a large number of fake accounts to abuse this feature. The offending accounts have since been suspended. But investigations revealed that a high volume of requests came from specific IP addresses in Malaysia, Israel and Iran. Twitter also suspects the involvement of state-sponsored hackers.
The feature is turned on by default, meaning most Twitter users who registered their phone numbers will have been affected. This includes those who have provided them for two-factor authentication. The exceptions to this are countries in the European Union, where users will have to opt in to use it.
This entire episode came shortly after it previously use phone numbers and emails for targeted ads. If you haven’t already, you probably should either opt out of the feature, and if possible, dissociate your phone number from your Twitter account.