in response to this. If the link disappears, here’s the skinny, written by Catalin Cimpanu for Zero Day; reported on line 3 Feb 2020
In an email seeking clarifications about the incident, Twitter told ZDNet that they became aware of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames.
Twitter says that following this report it intervened and immediately suspended a large network of fake accounts that had been used to query its API and match phone numbers to Twitter usernames.
During its investigation into the report, the social network told ZDNet that it also discovered additional evidence that this API bug had also been exploited by other third-parties, beyond the security researcher at the heart of the TechCrunch report.