In a message to business owners on the platform today, Twitter reported a data breach while using its advertisement and analytics platform. In an email to its clients, Twitter said it was “possible” others could have accessed personal information, including email addresses, phone numbers and the last four digits of clients’ credit card numbers. https://www.bbc.com/news/technology-53150157
The letter reads, in part, “We are writing to let you know of a data security incident that may have involved your personal information on ads.twitter.com and analytics.twitter.com.
We became aware of an issue that meant that prior to May 20, 2020, if you viewed your billing information on ads.twitter.com or analytics.twitter.com the billing information may have been stored in the browser’s cache. Examples of that information include email address, phone number, last four digits of your credit card number (not complete numbers, expiration dates or security codes), and billing address. If you used a shared computer, it is possible that if someone used the computer after you they could have seen the information stored in the browser’s cache (most browsers generally store data in their cache by default for a short period of time like 30 days).”
Some early industry reactions include the following statements.
Craig Young, Computer Security Researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT):
“While this issue does not pose a risk for those of us using our own personal computers, it is a teachable moment regarding the risk of shared computers. Whether you regularly rely on libraries or Internet cafes for access or just need to print the occasional boarding pass from a hotel lobby, there can be a risk of exposing personal data.
Ideally, the best solution is to simply avoid using shared computers when entering or accessing personal data, but this is not always an option. The next best solution is to bring your own web browser and take it with you when you go. Several popular web browsers have Windows builds designed to be run entirely off a USB flash drive so that sensitive data gets cached to the removable media rather than being left behind for others to find. Another option is to forcibly delete the cache for whatever browser is in use. Despite these precautions, however, it is important to recognize that malware or physical key loggers on the system will still be effective at undermining security”.
James McQuiggan, Security Awareness Advocate, KnowBe4:
“Unfortunately, this data leak occurred with Twitter, and they, like many other technical organizations, have incidents from time to time that impact their users. Last year, mobile phone numbers from Twitter were grievously exposed. Twitter came forth, was transparent, and corrected the issue.
Organizations can determine within their culture how much information they wish to have publicly available. While email addresses and phone numbers are less critical, the last four digits of credit cards are not part of that distribution. While it’s only the four-digit number, it’s not difficult to get new credit card numbers to alleviate any fraud risk.
While this breach or leak, depending on its classification, is concerning, it’s more of a nuisance issue than a full-blown event where Twitter knew about it and hid it from the world.”
Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.