The co-founder of Twitter's text service 2FA is reported to have secretly sold access to its network to the government, allowing them to find interested persons - and in some cases obtain their phone logs.
In this case Twitter uses the company Mitto AG to send messages on its behalf including the security code used for two-factor authentication (2FA).
According to a report from Bloomberg, Twitter told a US senator it was cutting ties with a European technology company that helped it send sensitive passcodes to its users via text messages.
The social media company said in a disclosure to US Senator Ron Wyden, a Democrat from Oregon, that it was diverting its services from working with Mitto AG.
Co-founder Mitto operates a service that helps governments covertly monitor and track cell phones.
One approach that has reportedly been used is to exploit a known vulnerability in the Signaling System 7 (SS7) mobile telecommunications protocol.
The system has known since at least 2016 that a major security flaw in SS7 means it can be used to listen to user calls, read texts, and track user positions.
The invasion of privacy appears to have been perpetrated by co-founder and chief operating officer Mitto Ilja Gorelik without the knowledge of anyone else at the company.
A spokesman for Mitto said the company itself was not involved and was investigating. Unconfirmed reports say that Gorelik is no longer involved with the company.
This is another reason to avoid using text messages for 2FA. Always use Apple's proprietary 2FA support, or a third-party app like Google Authenticator, whenever you have the option.
If a company only offers text messages, then Apple's autofill feature at least reduces the risk as reported by 9to5mac.