By exploiting a bug in the Twitter Android app, security researcher Ibrahim Balic matched 17 million phone numbers to Twitter accounts (via TechCrunch).
What Mr. Balic discovered was the ability to upload entire lists of generated phone numbers using Twitter’s upload contacts feature. Although it doesn’t accept lists of phone numbers in sequential order, he randomized over 2 billion numbers. He also noted it didn’t work on Twitter.com.
While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly.
It’s not believed Balic’s efforts are related to a Twitter blog post published this week, which confirmed a bug could have allowed “a bad actor to see nonpublic account information or to control your account,” such as tweets, direct messages and location information.
Twitter said it was working on a fix.