• by Gavin O'Malley  @mp_gavin, February 4, 2020

Continuing to test users’ patience, Twitter admits to more security breaches this week.

In late December, the company said it became aware of “a large network of fake accounts to exploit our API and match usernames to phone numbers.”

After shuttering that particular network, however, Twitter then found additional accounts that it suspected might have been exploiting the same API endpoint.

“We identified accounts located in a wide range of countries engaging in these behaviors,” Twitter’s privacy team said on Monday. “It is possible that some of these IP addresses may have ties to state-sponsored actors.”

Twitter originally designed the now-compromised API endpoint to help new account holders find people they already knew on the network.

Specifically, the endpoint matched phone numbers to Twitter accounts for those users who had enabled the, “Let people who have your phone number find you on Twitter” option, and who had a phone number associated with their Twitter account.

Users who did not have this setting enabled (or did not have a phone number associated with their account) were not at risk of being exposed to these latest breaches.

Twitter says it has since made a number of changes to this endpoint so that it can no longer return specific account names in response to queries, while suspending those accounts suspected of exploiting the endpoint.  

Unfortunately for Twitter users, security gaffes have become a not uncommon occurrence for the tech giant.

Earlier in 2019, for example, Twitter was forced to alert Android users that their private tweets might have been exposed.

In late 2018, Twitter disclosed a bug had potentially exposed the country code of users’ personal phone numbers, as well as whether their accounts had been locked by the social giant.