A security researcher found a bug in Twitter’s support from two years ago that exposed the country codes of phone numbers attached to users’ accounts. At the time, his bug report was closed as it did “not appear to present a significant security risk.”

Twitter now says that the bug may have been abused by nation-state actors.

“We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account,” said Twitter in its disclosure. “This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.”

Peerzada Ahmad reported the bug through HackerOne, which hosts Twitter’s bug reporting program, in the hope of a fix and a bounty payout, but the report was marked as “informative” and no action was taken.

Qureshi shared his bug report with TechCrunch after learning of Monday’s disclosure, in which he described how it was “possible to map out whether a mobile number is attached to a Twitter account including the country where the mobile number is registered by identifying the country code.”