Fears over ‘worrying’ Twitter breach as personal details are compromised

News by Andrew McCorkell

Industry experts express concern as Twitter emails business clients to admit personal data like email addresses have potentially been compromised.

Billing information for some clients that was stored in a browser's cache may have been compromised, Twitter has said in an email to business clients.

The social media firm said it was "possible" that the personal information, such as email addresses, phone numbers and the last four digits of clients' credit card numbers, could have been accessed by others.

The tech giant said it was ‘very sorry’ adding that there was no evidence that clients' billing information was compromised.

The firm became aware of the issue, which has now been fixed, on May 20.

The vulnerability affected businesses using Twitter's analytics and analytics platforms and it is not clear how many companies were affected.

The company said it became aware of the issue on 20 May and has since fixed the problem.

In 2018, the company asked its users to change passwords after an internal leak.

Dr Francis Gaffney, director of threat intelligence at Mimecast said that this particular breach is worrying because it appears that financial details were compromised, including email addresses, phone numbers, and the last four digits of clients' credit card numbers.

Gaffney said these could be used for future fraud strongly recommended that anybody impacted, looks at changing their credit card immediately.

He said: “It is clear from this breach that large companies, such as Twitter, are still finding it more than difficult to prevent breaches and keep their customers’ data safe. This seems to be becoming an all too common theme, with several organisations admitting to compromises in security recently.

“Our recent study, titled State of Email Security, found that 29 per cent of UK businesses have lost data due to lack of cyber resilience preparedness. These data breaches could be prevented if best security practices were followed by organisations.

"Customers that give their data expect it to be looked after and failing to do so can have very serious implications for organisations. The reputational damage can be extreme, with many customers unwilling to do business with an organisation that has experienced such an incident.”

Paul Bischoff, privacy advocate at Comparitech.com, said: “Twitter's data security incident is relatively minor in both scope and severity. It only affects Twitter users who use the ads and analytics services, which is a small fraction of all Twitter users.

"Furthermore, an attacker needs access to the user's browser in order to steal information, and they can only steal it from one user at a time. Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small. The information they can access isn't particularly valuable given there's no complete payment data or especially sensitive personal information stored in the cache.

“If you've logged into Twitter ads or analytics from a device that's used by other people, there's a chance that information could be stolen. Ads and analytics users should be on the lookout for targeted phishing emails from Twitter or a related company and be sure to clear their browser caches."

Flavius Plesu, founder and CEO of OutThink said that though the extent of the breach isn’t yet known, the data that has been accessed is valuable to hackers and can be used for a number of future applications.

Plesu said: “The exact methodology of the breach is unclear at present, but data accessed in a browser cache is highly likely to have been down to human error. But, if this is the case, I hope lessons are learned from the breach and it doesn’t become another case of companies blaming their users for their own shortcomings.”

Plesu added that it was time the cybersecurity industry stopped holding users to account for data breaches.

He said: “It isn’t the user that is to blame, but failure of security processes and security that doesn’t work for people doesn’t work. We have seen many times in the past that users will circumvent security that hinders their productivity, and you can blame them for this - security shouldn’t be a blocker to productivity, but an enabler.

“We need to have conversations with users about security processes and find out what works for them, what doesn’t and any risky behaviour they exhibit. Then security has to be tailored to each individual’s needs, otherwise, they will simply ignore security and get on with their jobs.”

David Kennefick, product architect at Edgescan, said that it was good that Twitter has taken ownership of the breach though he thought the response seemed a “little excessive”.

Kennefick said: “The vector here requires physical access to the device, so it may not be as exploitable as an alert like this might indicate. What Twitter has done is update their headers to include no-store and no-cache, which disables storing data from a website locally. Overall, not really an incident worth worrying about.”

Craig Young, senior security researcher at Tripwire, added that while the vulnerability did not pose a risk for most people using personal computers, it was a ”teachable moment” regarding the risk of shared computers.

Young said: “Whether you regularly rely on libraries or Internet cafes for access or just need to print the occasional boarding pass from a hotel lobby, there can be a risk of exposing personal data. Ideally, the best solution is to simply avoid using shared computers when entering or accessing personal data but this is not always an option. The next best solution is to bring your own web browser and take it with you when you go.

“Several popular web browsers have Windows builds designed to be run entirely off a USB flash drive so that sensitive data gets cached to the removable media rather than being left behind for others to find. Another option is to forcibly delete the cache for whatever browser is in use. Despite these precautions, however, it is important to recognise that malware or physical key loggers on the system will still be effective at undermining security.”

Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), said that browser cookies are a double-edged sword.

Mackey said: “While they can help simplify the process of identifying a user and their preferences, they shouldn’t be a proxy for a database. In this case, it appears the development team for Twitter Business stored sensitive information in browser cookies, and turned their browser cookies into a cache of database information.

“Not only does this presume that the user will always use the same device when accessing their Twitter Business account, but it also presumes the user has only one device since changes in information like updated billing information can’t possibly be sent to the browser cache of all devices when data updates happen.

“The better way to handle sensitive information is to only request it from a secured data store as needed and then ensure local copies of the data aren’t created which could be left behind."

Chris Hauk, consumer privacy champion at Pixel Privacy, added: "While we don't know for sure if the "data breach" was due to actions on the part of hackers or simply due to bad programming by developers, the Twitter cache issue underscores the importance of users not relying on websites to protect their privacy.

“I strongly recommend users set their browser to delete its cache when shutting down or restarting the browser. While clearing cache files will cause websites to load more slowly after you restart your browser, the security advantages easily outweigh this minor inconvenience.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews