Twitter apologized after disclosing that details of its advertisers were exposed in a data leak affecting web application users. The social media giant emailed its business customers, to warn that their information may have been compromised in a security lapse discovered in May. The company’s spokesperson said its business users’ billing information was inadvertently stored in the browser’s cache, making it possible for users who share computers to access such information. The exposed data included account details and billing information associated with advertisers’ accounts. Twitter has witnessed several security events recently casting doubts on information security of its 330 million active users.
Contents of the exposed data
The breach affected Twitter web users who share devices and perform purchases on the social media network. The discovered vulnerability exposed data associated with account profiles as well as billing information. Details released include business users’ email addresses, phone numbers as well as the last digits of the credit card number used for making purchases on the platform. The cause of the flaw was because the Twitter web application stored Twitter user data in the browser’s cache.
Although Twitter did not disclose more details regarding the exposed data, the social media giant released a statement acknowledging the security flaw. Twitter’s spokesperson said, “if you viewed your billing information on ads.twitter.com or analytics.twitter.com,” the information was likely stored on the browser’s cache. The company added that it resolved the issue and contacted the affected users by giving them guidelines on how to protect their accounts.
Chris Hauk, consumer privacy champion with Pixel Privacy, says users could do more to protect their personal data instead of relying on websites.
“I strongly recommend users set their browser to delete its cache when shutting down or restarting the browser. While clearing cache files will cause websites to load more slowly after you restart your browser, the security advantages easily outweigh this minor inconvenience.”
Prior data breaches on Twitter
Twitter has encountered similar bugs compromising accounts of many users. In 2019, the social media giant acknowledged a bug that gave users the ability to associate millions of phone numbers with Twitter accounts.
The exposed data could allow stalkers to track people on the network by just knowing their phone numbers.
The social media company also shared location data of its users with a third party who had opted out of collecting such information. It is unclear how many other businesses could have received such information. However, the exposed data could allow third-party entities to target Twitter users with highly personalized advertisements and political messages.
Twitter also abused user trust by using the phone numbers provided for the two-factor authentication to track users and serve targeted ads.
Twitter also admitted to storing users’ passwords in plaintext in 2018. Storing passwords in unencrypted form allows hackers to decipher passwords and possibly compromise other accounts associated with the user if the data is exposed.
Although hackers did not access the exposed data, the incident confirms the lack of proper data policies or programming practices at Twitter. However, Twitter’s acknowledgment of the problem shows sincerity and concern for the security of the social media account owners.
However, Paul Bischoff, privacy advocate with Comparitech, downplays the security breach saying it was minor in scope and severity.
“Twitter’s data security incident is relatively minor in both scope and severity. It only affects Twitter users who use the ads and analytics services, which is a small fraction of all Twitter users. Furthermore, an attacker needs access to the user’s browser in order to steal information, and they can only steal it from one user at a time. Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small.”
Despite the low level of risk associated with the leak, the exposed data contained account information that could enable other forms of attacks such as phishing. The data is also handy for malicious insiders who have access to shared computers within their organizations.