IOTW: Twitter Leaves Confidential Information Vulnerable—Again
Not enough social media distancing of data
Add bookmarkIn yet another data security incident involving Twitter, the personal account information of business operators using Twitter Ads and Twitter Analytics was compromised. User information was stored in the browser cache even after logging out of Twitter, leaving email addresses, contact numbers, and the last four digits of credit cards vulnerable.
While Twitter hasn’t released the number of affected accounts, about 75% of B2B businesses market their products or services on the platform.
The breach was determined to be a glitch in the system. It was discovered on May 20th and fixed soon after when Twitter updated the way it sends information to a browser cache.
Twitter Says Sorry
Twitter issued an email apology to the affected clients a month later. The email reads in part:
“Hello,
We are writing to let you know of a data security incident that may have involved your personal information on ads.twitter.com and analytics.twitter.com.
We became aware of an issue that meant that prior to May 20, 2020, if you viewed your billing information on ads.twitter.com or analytics.twitter.com the billing information may have been stored in the browser's cache.
Related: Preventing Enterprise Data Theft From Departing Employees
“If you used a shared computer, it is possible that if someone used the computer after you they could have seen the information stored in the browser's cache (most browsers generally store data in their cache by default for a short period of time like 30 days).
“We're very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. If you have additional questions, you can write to our Office of Data Protection here.
Thank you.”
Trust Is Earned
This isn’t the first time Twitter has found itself in similar situations. In fact, in April, a similar incident occurred involving the way Firefox cached Twitter exchanges. Direct messages and downloaded data archives remained available even after the user signed out of their account.
In December 2019, it was discovered that Twitter account holders could be matched with their phone numbers. Twitter has also admitted to giving away location data even if a user opted out and storing passwords in plain text as recently as 2018.
Why It’s A Big Deal
It is possible that the leaked information could fall into the wrong hands in the case of shared or public computers or devices. From there, there is a risk of the information being used in phishing schemes.
Related: Phishing Attacks Work Because… Humans
Remember, phishers often compile personal data over a long period of time before utilizing the information. From there, convincing phone calls and emails are sent out by the cybercriminal in an attempt to fool the unalert user into offering up even more information—or worse, full credit card numbers—than can then be used in future, deeper breach attempts. All leaks and breaches must be taken seriously.
Clearing browser cache on shared computers after use is a good habit to form, as this breach demonstrates. Setting up strong passwords and two-factor authentication also decreases Twitter user risks.