Skip to content(if available)orjump to list(if available)

An incident impacting 5M accounts and private information on Twitter


Remember that phone numbers are only 10 digits long, so brute forcing all phone numbers is totally doable.

Considering that, if you implement any flow that involves checking if a phone number is already in use, then you are effectively leaking to an attacker a list of every phone number that uses your product.


It's interesting to wonder why only 5M accounts were affected by this exploit, especially if it's brute forceable. IIRC this vulnerability was widely known about for at least months before it was fixed, so I can't imagine nobody in the know had access to the resources/botnets necessary to enumerate through every account.

Have only 5M accounts linked their phone numbers on Twitter? That's less than 2% of their total accounts (~290M). I don't know what the industry average is for linking phone numbers, but this seems like an exceptionally low ratio.


5,000,000 seconds is about two months. The attackers simply might not have had enough time to check more numbers than that.

(Assumption: They were checking only one number per second, either to avoid detection or because they were rate-limited.)


What percent of mobile numbers do you think are associated with twitter accounts? I don’t know, but it wouldn’t surprise me to find out they had to try 500M or more numbers to find 5M accounts.


Phone numbers in the US. In other parts of the world, they're longer.


International phone numbers can be up to 15 digits, but in most places the rules narrow them down further.

For example in the UK the country code is 44, all mobile phone numbers start with 7, with 9 digits after that.


And all US numbers begin with 555, or so I’m lead to believe.




Us and Canada, remember we (Canada)helped invent the phone systems


Maybe Musk is right, they are all bots.


Maybe Musk is behind this to weasel out of the contract?


Rate limiting should be used to mitigate this, although I suppose a botnet could overcome that to some extent proportional to the size of the botnet.

And for anyone who didn't read TFA, this incident goes well beyond leaking what phone numbers use the product, it leaked the usernames associated with each as well.


Rate limiting is not useful meaningfully. For a service we ran we regularly had botnets with 100k+ IP addresses making one request an hour to endpoints, which absolutely decimated the backend but hit no limits at all that a real user wouldn't also trigger. Even with a couple of requests an hour you could enumerate the entire phone number space in a very short period with that botnet.


Out of curiosity, how does someone possibly get 100k+ IP addresses? I had enough trouble getting 1 public IP address.


How do you defend against such an attack? Putting a service behind something like Cloudflare won't bring it down but it will still leak the phone numbers existence, no?


I guess I was thinking more like "limiting the number of attempts" than "limiting the number of attempts over time" -- take time out of the equation (but then NAT causes trouble). But even so, you're right: as the threat landscape approaches the size of the result set, it breaks down no matter what.


It's a solved problems that you never confirm or deny the registration of an identity (like email or phone) for your service.

Bad login? "Not a valid user/pass combo"

Password recovery? No matter what email or phone provided, simply say "If the email matches our records, we will send a recovery link".


What about new user sign up? Most systems will tell you if an email address has already been registered (and it seems hard to get round that).


You can always show that message after email is verified. Don't reveal information without verifying the ownership of email or phone number.


Until the UX team comes in and demands "better error messages".


Possibly, but a good org will empower security teams to make that call and collaborate with UX on a safe compromise.


In the USA.

They range from 4 (St. Helena) to 13 (Austria), I believe.


It's typically smaller though, not every phone number is allocated and many are in sequential groups. Some are special cased, you don't need to search any number matching `****555***` in north america for example, which cuts down on the search space quite a bit.


"Quite a bit"? Filtering out ***555**** removes only 0.1% of phone numbers ;)


St Helena changed to 5 digits nearly 7 years ago.


Maybe they should store salted hashes of phone numbers.

The purposes of phone numbers:

1. Verify you are a not a bot: no need to store anything except TRUE once verified.

2. 2FA - well use something better than SMS, but if you must, store the hash, and make me enter my number for the 2FA each time. Compare with hash and then send SMS.


Didn’t downvote and think your idea is reasonable, but worth noting that twitter currently needs unhashed phone numbers for:

- Account search during password recovery (lets users search for their account by phone number):

- User discoverability and account recommendations (users who upload their address books can find others by phone number, users who share their number can be found by others):

Hashing numbers has other implications, like support impact (some folks don’t know their own phone number), preventing the ability to offer SMS updates in countries that need it (or to reactivate that feature in national emergencies for countries that SMS support was pulled from), as well as making potential marketing, data mining, satisfying legal requests, and future feature development harder.

So your suggestion is a good one for a privacy-conscious service that doesn’t already depend on (or that is unwilling to relinquish) unhashed numbers, but it probably isn’t in the nature of twitter to seek to protect user data at the expense of existing or future features, even after leaks like this.


Not to mention that only having salted hashes will make it harder for them to link your advertising profile with other data brokers.


Non-geeks dislike the hassle of 2FA enough as it is, having to enter their phone number every time too sounds like it would hurt adoption quite significantly.


With technology like FIDO Passkey built into newer phones (both iOS and Android), I see passwordless multi-factor attested auth becoming the standard for most services very soon. Then, users will have to do even less to get more security.


Downvote explainer?


CPU throughput =/= endpoint throughput


already doable with e-mail addresses. doing this with just a phone number is not really a problem. It is a problem when you can link the phone and email. But discovering a phonenumber in itself is nothing more then pressing random numbers and see who answers?


So after forcing users to enter a phone number to continue using twitter, despite twitter having no need to know the users phone number, they then leak the phone numbers and associated accounts. Great.

But it gets worse... After being told of the leak in January, rather than disclosing the fact millions of users data had been open for anyone who looked, they quietly fixed it and hoped nobody else had found it.

It was only when the press started to notice they finally disclosed the leak.

That isn't just one bug causing a security leak - it's a chain of bad decisions and bad security culture, and if anything should attract government fines for lax data security, this is it.


The whole announcement reeks of "Stop hitting yourself!"

What scum. They had lots of chances to fix this, the first one being not collecting phone numbers in the first place. They chose to do that, and then they didn't adequately protect it, and now they're oh so very surprised that someone might be doxing their most vulnerable users.

If anyone is harmed by this, Twitter should be held liable.


didn't actually not just protect the phone numbers. They actively used it illegally to market services outside of the purpose for which the numbers were gathered


It's not just Twitter. It happens every few months. The problem is centralized sites having "real name policies", requiring you to put your phone number and other crap:


I know the answer is money in politics, SV culture, etc. But it's near certainty twitter will continue as they do in and 2 weeks everyone will move on.

Maybe they get a small boo-boo in the form of a symbolic fine, mangers scramble for a bit, and then the whole thing happens again and again.

Why is this?


Because twitter users care more about the convince twitter provides than they do about the risks their privacy and security as a result of using twitter. I suspect most have no idea what the risks are or have some very limited idea of some of them. Maybe if they had a better understanding of the risks they'd close their accounts and move to something new, but I doubt there be enough of them to cause twitter to invest in securing the unnecessary amounts of data they collect.

This sort of thing will only be fixed when we hold companies accountable for failing to protect customer data through regulation with many rows of sharp teeth.


>Why is this?

Because non-twitter users don't give a fuck. And also, twitter users don't give a fuck.


Twitter is vulnerable, most vulnerable of the big social media sites it seems. The Musk deal has fallen through, and it seems like Musk was not the only one to lose confidence in Twitter. It could easily go the way of Myspace. How many users does Myspace have these days? Active users


Discord is also like this and it drives me nuts.


They also refuse voip numbers. I am now at 20 back and forth emails with Discord support explaining I do not own a cell phone. They are seriously suggesting I buy one just to use Discord.


Yeah. I used to live in a semi-rural area with no mobile phone coverage, and the insane level of disbelief from places when you tell them "I have no mobile phone" was a real problem. Including banks, and other utilities. :(


Maybe there needs to be some sort of law that prohibits this sort of thing.

In the meantime, Discord has been added to my "do not recommend" list.


I usually don't do ads, however there is a tool called SMS pva where you can rent phone numbers specific for services for a one time confirmation. You usually get a working one on first try.

I can't even count how many companies suggested that I should 'just get a phone number' to use their service.


I've seriously considered buying burner phones like a goddamn drug dealer for bullshit like this.


Requiring a phone number is part of fraud & spam prevention. Maybe you'd make a different tradeoff but that's not "no reason."


> The FTC says Twitter induced people to provide their phone numbers and email addresses by claiming that the company’s purpose was, for example, to “Safeguard your account.

> ...

> But according to the FTC, much more was going on behind the scenes. In fact, in addition to using people’s phone numbers and email addresses for the protective purposes the company claimed, Twitter also used the information to serve people targeted ads – ads that enriched Twitter by the multi-millions.


So you're right, it wasn't for "no reason", but it also wasn't just for fraud and spam prevention, security, or any of the other lies Twitter told users.


Exactly. I don't have an issue with this if I know they're not using it to farm shit off of me.

But then again, they wouldn't make much money otherwise.


it adds a small cost to creating sockpoppets but it adds much larger value in having personal data for targeted ads

like my sibling said, twitter was dishonest to their users how the phone number was to be used

if it's just to prevent bot signups, why keep it on file at all?


They no longer use it for ads, so the value now is just fraud and security.

> if it's just to prevent bot signups, why keep it on file at all?

I mean, you need the actual number for 2FA. I guess maybe you could hash it after some amount of time just for blocking bots? You couldn't just discard it or one number could create unlimited bots.


As someone that chooses not to own a cell phone, I am often written off as collateral damage in this type of thinking.


I pay about $0.2 for a working phone number instantly via API. Or pennies for packs of aged accounts. Do you actually think that stops anything?


I have seen too many services that ask phone number for account recovery purposes and then end up using it for other purposes for which the user didn't consent. Given how insecure SMS OTP is, I try not to enable that if I can avoid it. Then, on top of it, bugs like this make the service behave like a globally accessible open reverse-directory of mobile numbers to names.

How is twitter notifying users? Has anyone posted screenshots of this notification? I want to know where this notice will appear.


Not defending them but I think a major reason why Twitter (and for example Gmail nowadays) is asking for phone numbers is to decrease spam accounts (which is of course a good thing in itself).


How did they arrive at phone numbers? What other options did they try. It’s too easy to give companies a pass “because spam”


As I said, not defending them. They are likely doing dozens of other things as well. But using phone numbers is a quite effective method of hindering spam/bot account creation - in most countries in Europe at least getting a prepaid SIM requires ID nowadays. Not that Twitter would go as far as to inquire ownership records of phone numbers... but/so you could still go and buy 100 SIM cards if you wanted to, but it'd be way more expensive than just spawning new email addresses.


Isn't this the second or third time for Twitter to have this exact same flaw? From 2020:

I might be confused; this is a very old feature of Twitter that does have an opt out. Maybe this new disclosure is the opt out didn't work?

It's a different problem, but this year Twitter also got a $150M fine for illegally using the phone numbers they demand from users for marketing purposes.


We consistently have to go through Data protection practices, and limit the purpose of what the data collected can be used for. This seems like either a blatant miss in process, or willful ignore where $150m is under the EXPECTED value of the rewards through marketing


I think you will see more of this class of attack.

Lots of companies have various 'forgot my username'/'forgot my password'/'trying to sign up for a new account with a new email address but existing phone number'/'add a friend by email or phone' flows. It's very easy to accidentally leak some info that shouldn't be leaked while implementing such a flow, since you are peering into the users database querying by email/phone/other identifier while the user hasn't properly authenticated yet.


Yes. The proper way to implement this flow is to ask for the information, and then present the exact same result screen regardless of the actions taken. Any additional information or action should be done exclusively through the contact information you have on record.


And making sure constant time on the response. Otherwise the slower response likely corresponds to a real phone number if the backend synchronously did more actions, such as sending a recovery email. The backend would need to be really slow however in order for a strong enough signal for this to be useful.


Still it’s so much better to have the binary information of whether or not an account exists with that information than exactly which account it is.




> If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

First time I've heard a company actually say this. It's obvious to people who understand a bit about tech and security, but not obvious to the layperson. Twitter actually deserve a tiny amount of credit for giving practical advice that reduces adversity for users in the event of a breach.


No, that's just shifting the blame onto the user. If they are asking for something as sensitive as a mobile number, then they need to protect it properly.

They ask for a mobile number to verify you're a real human, then they say "Ha it's your fault you gave us a sensitive mobile number". 99.9% of users only have one mobile, and have no idea how to get an alternate number, so they just give the number they have.


> that's just shifting the blame onto the user.

Even so, it's the first time I've seen a company actually imply to the public in plain English that they can't protect private info, rather than maintain a facade of security that doesn't actually exist.

As you point out though, if Twitter requires a phone number to sign up and 99.9% of users use their personal number, then Twitter are basically saying "our security sucks and if you want an account you have no alternative...".

Some interesting corollaries:

- Are there any services that will sign up to twitter on behalf of users? (and would they work or would it be merely shifting trust from Twitter to a potentially less trustworthy party?)

- I wonder if Twitter could consider not requiring personal info at sign up so as to avoid this dark UX

- Is there a 10 minute mail for phone numbers?


No. That’s not practical advice. Twitter is gaslighting us. You can’t use Twitter without a phone number. They require it.


Combine the advice with the fact that a phone number is required and you get the practical advice: don’t use twitter.


I signed up for twitter a couple weeks ago to follow some ukraine folks. They didn't require a phone number and just double checking my account doesn't have one.


They require it most of the time, and not always at first. Do anything remotely controversial, like retweeting a non-conformist, and they likely will.


Except for a long time they shut down accounts without a phone number under the pretense of "suspicious activity". For some reason, these suspicions could be immediately allayed only by providing your phone number.

Being forced to do something and later being advised not to do that thing out of deep concern for my well-being? Yeah, that's the Twitter UX vibe: the most self-regarding, passive-aggressive person you know, in software form.


Twitter often FORCED users to enter a valid phone number by locking accounts, and then verified if it was active in comparison to accounts. To this day there is no way to remove the phone number or disassociate it with an account. Please do not oversimplify the offense, it does not do justice to the cited issues involved.


Two days ago, I've tried to create an account tied only to an email. During account creation, the wizard suddenly inserted an additional step and required my to enter a phone number.

I realise though that this is possibly an anti-spam measure (which I'm in favour of), since I've connected through Tor when creating the account. But this procedure stands in stark contrast to the advise given in the article.


If they actually cared they would make that statement in bold at the time they ask for your phone number and email address.


Perhaps Twitter needs to make it easier to create accounts anonymously and stop virtue signaling (i.e suspend accounts created over Tor onion-service)

With pseudonymous usage of public services information minimisation to maintain operational-security against private user-data being disclosed by external hackers or rogue insiders is a mantra that needs to be followed religiously.


I’m six months in and they haven’t asked for a phone number yet. I dread the day when they do. This is where proficiency in the Twilio API comes in handy.


Don't you still have to use an actual phone number when you sign up for Twilio?


If you trust twilio security policy you can defer the weakness of Twitter policy in favor of the strength of twilio.


when I started liking "too many" tweets I got hit with it and my mobile carrier (canada btw) refused to deliver txt msgs from Twitter so I could never get verified.


Lucky you. I can't create another twitter account as my number is on a network unreachable by their SMS system. Worst of both worlds for me as when that number was on another network they could verify. So leaked number that I cannot even use to verify a second business account :-(.


That's crazy. I can't remember the last time I wasn't straight up locked within 2 minutes of my first login.

Guess Linux users are bad, or whatever makes them trigger each f*ING time.


Created and accessed over Tor or a clearnet connection?


Virtue signaling? Preventing completely anonymously accounts doesn't seem to fit that colloquial definition of that, I always assumed it meant taking an action simply for social signalling, that has no benefit to you otherwise.


How about the fact Twitter recently launched an official onion-service yet it is claimed by users when attempting to create an account with email over it the account is locked for 'abuse' within short order?


I certainly understand why you want to use Tor to create a Twitter account, I guess the disconnect is you seem to feel it is fundamentally and obviously wrong to prevent this, but it does seem fairly clear why you'd offer a service to allow logins yet not signups. And in any case, can't speak to why an individual account got banned


I believe this is the vulnerability reported to Twitter which awarded $5000 from its bug bounty program.


$5k seems embarrassingly low so something with such horrendous impact. Potentially allowing for doxing, and because phone numbers are the lynchpin for many 2FA and consumer-facing telco security is generally lax, total user hijacking across multiple platforms. What an absolute disaster.


I have found many far more serious bugs, even at larger companies, that have paid me under $500. No one feels security researchers time is even worth that of the internal engineers creating the bugs.


Crypto bounties pay quite well;


Besides impact, $5K also doesn't make sense when compared to employee compensation.


if the disclosure and fix time is half a year, a blackhat is now able to both claim the bug bounty and sell the day zero exploit


Anyone have any idea how many of these bounties are collected by people who actively look (seems like a hard way to make a living) vs. say people with some knowledge who stumble across the issue and wouldn't take the time to properly report, otherwise (might convince me to take a couple of hours)?


Thanks for sharing this link. Twitter should've shared it in their post...


Turkish law authorities have abused Twitter's login system in the past several years. If an anonym Twitter account was critisizing Erdoğan they were trying to log in, try to reset the password, choose phone number and then Twitter was showing last two digits of the phone number.

They also have list of known people who were critisizing the Erdoğan publicaly but without any bad words, unable to open a criminal case agains that person.

Then they were matching probable phone numbers (last two digits) from Twitter with these knnown people'phone numbers. If there was a match (last two digits) they opened a criminal case.

And then that person was being visited by police officers in the morning, arrested for several hours, then he had to attend hearings for 3 years, like once evry 4 months. Also he had to hire a lawyer, for 5 minimal salaries.

At the end he probably wins the case if he is not the owner of that Twitter account, and Erdoğan pays around 1x minimal salary to defendant's lawyer.


Pretty disgusting they don't have a thing to check if they leaked my personal information, which lets not forget they screamed and stamped their feet to force me to hand over in the first place.

I never wanted to give you my phone number, Twitter. You demanded it.


Pretty disgusting they don't have a thing to check if they leaked my personal information

From the linked notice, fwiw: "We will be directly notifying the account owners we can confirm were affected by this issue."


Interesting how just throwing the 5M figure in the title changed everything for this post:


Well yeah. Some accounts could be two. If I see language like that in a headline, I pretty much ignore it. It's like when I see the word "may" in a headline. "New wonder drug may cure cancer." That isn't even news.


> In January 2022, we received a report through our bug bounty program

> This bug resulted from an update to our code in June 2021

Does this mean the problem existed for 7 months and nobody at Twitter noticed until they received a bug report?


That's not unusual for a security bug; it's not like this stopped people from using the app in a way that they'd loudly complain about or that would show up in metrics.


Given they didn't think it was exploited they must have pretty poor logging and analytics around that part of their infrastructure. Someone managed to abuse it millions of times and they didn't know about it even after they'd fixed it and knew exactly where to look for abuse.


Curious what kind of logs/analytics would you add and watch to catch something like this?


You should notice a spike in any request logging metric if someone exploits this.


Cleaning house before due diligence.