We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo

— Twitter Support (@TwitterSupport) February 3, 2020

The company says that after suspending the first set of fake accounts exploiting the flaw — presumably Balic’s, who created hundreds of sock puppet accounts for his investigation — it found more. Those additional accounts were located from a wide range of countries, but most of them were from Iran, Israel and Malaysia, based on the IP addresses Twitter traced.

“It is possible that some of these IP addresses may have ties to state-sponsored actors,” its announcement reads. “We are disclosing this out of an abundance of caution and as a matter of principle.”

Although the flaw allowed bad actors to look up millions of phone numbers of people they don’t know, users who don’t have the “Let people who have your phone number find you on Twitter” setting enabled weren’t affected. Further, Twitter suspended all the offending accounts it found and modified its API to prevent bad actors from exploiting the number matching feature going forward.