A Twitter bug exposed user data to ‘suspicious’ IP addresses, which may have links to state-sponsored actors, located in China and Saudi Arabia.

According to Twitter, an issue relating to one of its support forms meant that the country code of account phone numbers, as well as information on whether an account is locked, may have been revealed. The bug, which Twitter identified on 15 November and resolved on 16 November, is said to have not exposed full phone numbers or any other personal data.

The microblogging site found ‘unusual activity’ involving the affected customer support form API and observed that a large amount of traffic had come from IP addresses in China and Saudi Arabia. Despite this, Twitter is unable to confirm if these IP addresses have ties to the state in the respective countries.

Twitter said that it has directly informed the people that it identified as being affected but will also deliver a wider notice to users, because it may not have identified all those hit. Nonetheless, users do not need to take any action.