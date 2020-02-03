For dissidents around the world, Twitter continues to be the best way to speak out against their repressive governments.

With that in mind, it’s easy to see why today’s announcement from the social media company is so disturbing. Twitter announced in a Monday blog post and accompanying statement that it had discovered that “bad actors” with possibly state-sponsored connections had found a way to massively link phone numbers to Twitter accounts.

In other words, a hacker using this exploit may potentially reveal the identity of a person who tweets under a pseudonym who has linked his account to a telephone number. Or it’s good to remember that determining the phone number associated with an account is often a crucial step when hacking.

“On December 24, 2019, we became aware that someone was using a large network of fake accounts to exploit our API and link usernames to phone numbers,” reads the Twitter blog post. “While identifying accounts that are located in a large number of countries engaged in this behavior, we have observed a particularly large number of requests from individual IP addresses in Iran, Israel and Malaysia.”

With documented real-world intimidation of dissidents in Saudi Arabia, for example, it is easy to see how such exploits can lead to real damage.

“It is possible that some of these IP addresses may have links with government-sponsored actors,” the blog post continued.

We contacted Twitter to determine how many users were affected and whether the company intended to notify users whose phone numbers were linked in the manner described. We have currently not received an immediate response.

It is important that not everyone was vulnerable to this specific exploit. According to Twitter, the bad actors in question can only link your account to a telephone number if your account meets two specific criteria.

First you had to have added a phone number to your account. Because many people do exactly the same to enable two-factor authentication, many people fall into that bucket. Secondly, and this should limit things a bit, you must have selected the “Let people with your phone number find you on Twitter” option.

It would now be a good time to ensure that that setting is not enabled. It would also be a good time for Twitter to consider removing it completely.

