We have become aware of an issue related to one of our support forms, which is used by account holders to contact X about issues with their account. We began working to resolve the issue on November 15 and it was fixed by November 16. This could be used to discover the country code of people’s phone numbers if they had one associated with their X account, as well as whether or not their account had been locked by X. We lock an account if it appears to be compromised or in violation of the X Rules or our Terms of Service. More on what it means when an account is in a locked state here. Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted.
Since we became aware of the issue, we have been investigating the origins and background in order to provide you with as much information as possible. During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.
No action is required by account holders and we have resolved the issue. If you have any questions or concerns, you can contact X’s Data Protection Officer, Damien Kieran, by completing the online form located here. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. We are sorry this happened.