Don’t upload your contacts to Twitter. If you do, or if you already have on your Android device, your phone number could be one of 17 million exposed on the app, a bug first reported by TechCrunch.

Security researcher Ibrahim Balic, who is based in London, told the site he was able to match records in seven different countries, including one of a senior Israeli politician and several other high-profile users. He did this when he discovered that when one uploads one’s contacts, the app would “fetch user data in return,” he told TechCrunch. It was then possible to match the phone numbers uploaded into the app with the Twitter records and figure out account usernames.

Twitter had previously reported a security flaw in its Android app on December 20 that, it said in a statement at the time, “could allow a bad actor to see nonpublic account information or to control your account (i.e., send Tweets or Direct Messages).”

But the flaw that Twitter reported appeared to depend on the insertion of malicious code. This new flaw that Balic reported involves no malicious code; it simply involves knowing someone’s phone number and being able to figure out their Twitter persona from that information alone.

This is the latest in a serious of bugs or hacking attacks that has plagued Twitter and other social networks, including Facebook. In November, both apps said the date of “hundreds of users” was comprised through faulty Android apps. Emails, usernames, and recent tweets were all exposed. In both this recent case and the one in November, Twitter said at the time that it had no evidence that anyone’s account was actually hacked or exploited, although it did admit there were two bad actors involved who were paying developers to use malicious software development kits.

Twitter has suffered a few huge leaks in the past several years, including one in 2016 that exposed the login credentials of 32.8 million users, and another in 2018 wherein Twitter urged 330 million users to change their passwords after they were exposed on the company’s internal network.

Related Posts

Meta is killing Messenger on desktop, here’s what you need to do

On Windows, the desktop app stops working on December 14, 2025. A notification appears if you have it installed.

Use a passkey on X? Update it by November 10 or lose access

The company’s Safety account said that accounts using security keys for 2FA must re-enroll to keep access, via posts on X.

Meta brings disappearing posts to Threads under a spooky name

What's the big shift?