A screenshot of the Twitter technical bug screen.

Looks like this year isn’t ending without yet another data leak story. And this time (again!), its Twitter under the lens. In the latest instance that has come to light, a security researcher named Ibrahim Balic has revealed that the Twitter for Android app’s bug has helped him match 17 million phone numbers to Twitter accounts.

He found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. In conversation with TechCrunch, he said: “If you upload your phone number, it fetches user data in return.”

He added that Twitter’s contact upload feature doesn’t accept lists of phone numbers in sequential format — likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app.

As per Balic, the bug did not exist in the web-based upload feature. He said that he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany for over two months but stopped after Twitter blocked the effort on December 20.

While Ibrahim Balic did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users to a WhatsApp group in an effort to warn users directly. A Twitter spokesperson told TechCrunch the company was working to “ensure this bug cannot be exploited again.”

Twitter spokesperson added: “Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter’s APIs.”

As we said, this is the latest security lapse from Twitter in the past year. In May, Twitter admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared.

Later, in August, the company said it inadvertently gave its ad partners more data than it should have. Last month, Twitter confirmed it used phone numbers provided by users for two-factor authentication for serving targeted ads.