If Messenia cries, Sparta doesn't laugh. Or, in social terms, we could say: "If Facebook cries, Twitter won't laugh". Both social networks are in fact facing several problems on user security: Facebook has been attacked harshly by Pavel Durov in recent days, Twitter has faced a huge security problem related to the way the service has used the users' phone number. .
At the end of 2019, the account of Jack Dorsey, father of the microblogging platform, was hacked through a technique known as SIM Swapping. In the past few hours, the company revealed that by querying some API of the platform it was possible – for any malicious actors – to connect the telephone number in the company's database to the specific account. The company also revealed that it had discovered and suspended one "huge network of fake accounts" from "different countries" who actively abused the security breach during December.
Online services often ask for users' permission to access the phone number or their contact list for various reasons. In the hack suffered by Dorsey it was to send tweets through SMS text messages. In the case reported by Twitter, the number can be entered (optionally) to guarantee to friends who already have it to check if the owner of the number is already registered for the service. It is clear that proceeding on millions of telephone numbers can be defined as an abuse of the function, which is not meant for this.
The security team has in fact immediately suspended the accounts of researchers who had exploited the security hole but, through the new details on the story revealed by Twitter in these hours, we learn that the bug was used by a network of fake accounts created in different countries, including Iran, Israel and Malaysia. The accounts could belong to hackers in the pay of governments, or to government employees themselves.
Twitter makes it known that it has taken the necessary measures to close the leak and ensure that the latter can no longer be used as a carrier for this type of attack but, to date, the ramifications that the violation may have had remain unknown. However, the company has not yet advised to change the password, however it may be a wise idea to do so, either completely disconnect your phone number from your Twitter account. It should be emphasized that the exploited function is deactivated by default in all European accounts, while in accounts in other parts of the world it is automatically activated as soon as you enter the phone number on the service.