Security research Ibrahim Balic claimed to have exploited a bug on Twitter's Android app that let him match 17 million phone numbers to users' accounts. He was able to upload full lists of generated phone numbers through the app's contacts upload feature. TechCrunch reported the discovery and Twitter had blocked the flaw on December 20.
Balic generated over two billion numbers, and he was able to match it to records of users in France, Germany, Iran, Greece, Turkey, Israel, and Armenia. He was able to fetch user data on them and informed high-profile Twitter users, through a WhatsApp group, about the vulnerability. Balic didn't alert Twitter about the vulnerability, though. Twitter assures TechCrunch that the bug "cannot be exploited again."