Can Twitter spammers steal email addresses?

Some Twitter users have claimed that cyber-criminals may have been able to spam the email addresses registered with the social networking giant.

Can Twitter spammers steal email addresses?
Can Twitter spammers steal email addresses?

News broke on Wednesday afternoon after Accel data scientist Hilary Mason tweeted that spammers had been able to harvest an email address which she only ever used to register for an account on the website, which is used by some 255 million users around the world each month.

“Wow, just confirmed that somehow spammers are harvesting e-mail addresses from Twitter accounts. Is this a known issue?” questioned Mason.

Pressed further, she said that she was seeing email spam being sent to a unique email address which she ‘only ever used to register Twitter accounts'. This email, said Mason, was not publicised anywhere else.

A spokesperson for Twitter initially queried the claim – saying that he had only ever seen spammers trying to ‘guess/aggregate' addresses– but said that the San Francisco-based technology giant would look into the issue.

Speaking to SCMagazineUK.com shortly afterwards, Mason said that the spam message had been sent to an email account ‘only ever used to register a Twitter account' – in this case the bot Twitter account @RobotzRule.

“I have no insight into Twitter's technical architecture, but having worked on similar systems makes me think perhaps there's a bug in the "find your contacts" feature,” she said.

But she admitted that the spam attack could have come from a different service entirely: “It's also possible the e-mail address was harvested from another mechanism, like my Gmail account was hacked, or the root account for the Google apps domain, or that I pushed some code for the bot to github at some point that included its e-mail address (though it doesn't look like this one is up there).”

“You can't assume it's Twitter's fault, but that seems most likely to me right now.”

The fault could lie with Twitter's promoted tweets. The company allows businesses to set a daily budget for their social marketing campaign – defining a maximum budget they're willing to spend per click or follow – and another Twitter user reckons it could be offering up users' email addresses.

User ‘PatRiotchick' claimed on Wednesday that her email address was exposed when clicking on a promoted tweet.

“Dear Twitter, why is my email address immediately exposed even if I click on a #CPC promoted tweet? What about our privacy,” she wrote.

Rik Ferguson, vice president of security research at Trend Micro, told SCMagazineUK.com  that it was difficult to speculate on what the issue could be, having not seen the support ticket submitted to Twitter, and said that the suggestion of a bug in the contacts book ‘seems like guesswork'. He did, however, suggest that a “lot of mobile developers do not know that they are unintentionally leaking data”.

Ferguson went onto say that the social network does have a strong history in terms of fixing vulnerabilities, pointing to the Twitter help centre – where there's an online form for reporting violations or vulnerabilities – and the company's hall of fame of security researchers, which has grown extensively since 12 in 2010 to 42 in 2014.

“They're actively working with the community and that's the best you can expect from anybody to be honest,” said Ferguson.

Chris Boyd, malware intelligence analyst at Malwarebytes, added in an email to SC: “Any instance where an individual has found a way to scrape non-public data could raise privacy concerns. Tools which scrape emails posted to public facing social media profiles have existed for a long time, and even without scraping, it's possible to make an educated guess as to what a user's address might be.

“There's a good case for using disposable email addresses for each service we make use of."

At the time of going to press, Twitter had not responded to SC's request for comment. We will update this story when/if we hear back.