Twitter afresh appear an “incident” in how the annual handles phone numbers. The advertisement declared that it had shut down “a large arrangement of fake accounts” amenable for uploading lists of phone numbers and then using Twitter’s own API to match them to alone usernames.

According to the Electronic Frontier Foundation (EFF), this is absolutely the type of action used to create reverse-lookup tools: the types of casework that match specific users, or their accounts, with an contrarily random phone number.

Twitter, Facebook, and other social networks all offer the option to upload your acquaintance list into the appliance to affix with other users. The APIs used to abutment these types of uploads often accommodate limitations to keep bad actors from base the tools. But there’s almost always a workaround. In Twitter’s case one of the API limitations in place rejects anyone who tries to upload a list of consecutive phone numbers — a clear adumbration that it’s not a user uploading their contacts.

But the aegis advisers who tipped Twitter off to the botheration found a comically simple workaround: randomize the uploaded advice to avoid consecutive strings of numbers. This accustomed them to match phone numbers to usernames for more than 17 actor Twitter users, including celebrities and public officials.

So far the botheration only seems to affect Twitter accounts who have a phone number associated with their account, and have “phone number discoverability” enabled in their settings. If you’re unsure, you can check the EFF’s step-by-step guide to blockage your settings here.

According to Twitter, the API accomplishment is believed to have originated from IP addresses in Iran, Israel, and Malaysia. “It’s accessible that some of these IP addresses may have ties to state-sponsored actors,” a agent wrote.

It’s not the first time Twitter has burst the administration of users’ phone numbers. In October the aggregation fessed up to acceptance advertisers to use phone numbers and email addresses — that users provided for “safety and aegis purposes” like two-factor affidavit — to tailor audiences in its ad tracking system, known as Tailored Audiences and Partner Audiences.

A blog post announcement the issue said:

We cannot say with authoritativeness how many people were impacted by this, but in an effort to be transparent, we wanted to make anybody aware. No claimed data was ever shared evidently with our ally or any other third parties.

Read next: Apple now allows you to make accepted purchases for Mac and iOS apps