Twitter has disclosed a serious security incident that allowed bad actors to link usernames with phone numbers.

According to a blog post on the company’s privacy site, on December 24, 2019, Twitter “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers.”

The company took immediate action to suspend the fake accounts but, upon further investigation, Twitter discovered additional accounts that may have been exploiting the API. The API in question allows users to find other people they know by using their phone number, provided the other person has the “Let people who have your phone number find you on Twitter” option turned on and have a phone number linked to their account. The fake accounts, however, misused the API to link phone numbers and usernames of accounts they had no connection to.

Although the fake accounts’ IP addresses traced back to locations all around the globe, Twitter says there was an unusually high number that traced back to Iran, Israel, and Malaysia. As a result, Twitter says it’s “possible that some of these IP addresses may have ties to state-sponsored actors.”

The company has changed how the API works to make sure this can’t be exploited in the future and apologized to its users for the incident.