Twitter patches phone number vulnerability that affected millions

In December 2019, a flaw in Twitter’s Android app allowed third parties to connect millions of phone numbers to individual accounts. On Monday, Twitter announced that the problem was even more widespread than initially believed, but says it has fixed the vulnerability. If that’s not enough for you, there’s a way to remove your phone number and keep your account secure.

The bug — Ibrahim Balic, a security researcher, discovered that he could connect random numbers to Twitter accounts by exploiting a social feature. Twitter users have the option to allow friends to find them using their number or email address (Settings>Privacy and Safety>Discoverability and contacts). If you didn’t have these options turned on or have your number connected, your account wasn’t made vulnerable.

By manipulating that feature, third parties could connect to what was originally believed to be about 17 million accounts. Twitter has suspended the accounts exploiting this vulnerability.

Still want to pull your number? — If toggling your discoverability settings off isn’t enough for you, you can remove your number from Twitter. Many people use their number for 2FA authentication, so deleting it (Settings>Account>Phone) will turn that security feature off. Instead, you can use an app like Google Authenticator (Settings>Account>Security>Two-Factor Authentication) for an added layer of login security. If you’re going through all this trouble, please do not log in to your Google account in the Authenticator app.