New Twitter Breach – Security Expert Comments

It has been reported that Twitter has detailed a serious “security incident” on the billing information of businesses using the social media giant. 

In a message to business owners on the platform, Twitter reported a data breach while using its advertisement and analytics platform. This meant that prior to May 20, 2020 certain details would be stored within a web browser’s cache. Web cache is whereby documents or information of the pages a user has visited are stored on the web browser. In a message to sent to business owners on the platform, Twitter said: “We are writing to let you know of a data security incident that may have involved your personal information on ads.twitter and analytics.twitter.

“We became aware of an issue that meant that prior to May 20, 2020, if you viewed your billing information on ads.twitter or analytics.twitter the billing information may have been stored in the browser’s cache. Examples of that information include, email address, phone number, last four digits of your credit card number.”

Experts Comments

June 24, 2020
Francis Gaffney
Director of Threat Intelligence
Mimecast
It is clear from this breach that large companies, such as Twitter, are still finding it more than difficult to prevent breaches and keep their customers’ data safe. This seems to be becoming an all too common theme, with several organisations admitting to compromises in security recently. Our recent study, titled State of Email Security, found that 29% of UK businesses have lost data due to lack of cyber resilience preparedness. These data breaches could be prevented if the best security.....Read More
It is clear from this breach that large companies, such as Twitter, are still finding it more than difficult to prevent breaches and keep their customers’ data safe. This seems to be becoming an all too common theme, with several organisations admitting to compromises in security recently. Our recent study, titled State of Email Security, found that 29% of UK businesses have lost data due to lack of cyber resilience preparedness. These data breaches could be prevented if the best security practices were followed by organisations. Customers that give their data expect it to be looked after and failing to do so can have very serious implications for organisations. The reputational damage can be extreme, with many customers unwilling to do business with an organisation that has experienced such an incident. This particular breach is worrying because it appears that financial details were compromised, including email addresses, phone numbers, and the last four digits of clients' credit card numbers. These details can be used for future fraud and I would strongly recommend that anybody impacted, looks at changing their credit card immediately.  Read Less
June 24, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
While we don't know for sure if the "data breach" was due to actions on the part of hackers or simply due to bad programming by developers, the Twitter cache issue underscores the importance of users not relying on websites to protect their privacy. I strongly recommend users set their browsers to delete their cache when shutting down or restarting the browser. While clearing cache files will cause websites to load more slowly after you restart your browser, the security advantages easily.....Read More
While we don't know for sure if the "data breach" was due to actions on the part of hackers or simply due to bad programming by developers, the Twitter cache issue underscores the importance of users not relying on websites to protect their privacy. I strongly recommend users set their browsers to delete their cache when shutting down or restarting the browser. While clearing cache files will cause websites to load more slowly after you restart your browser, the security advantages easily outweigh this minor inconvenience.  Read Less
June 24, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Twitter's data security incident is relatively minor in both scope and severity. It only affects Twitter users who use the ads and analytics services, which is a small fraction of all Twitter users. Furthermore, an attacker needs access to the user's browser in order to steal information, and they can only steal it from one user at a time. Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small......Read More
Twitter's data security incident is relatively minor in both scope and severity. It only affects Twitter users who use the ads and analytics services, which is a small fraction of all Twitter users. Furthermore, an attacker needs access to the user's browser in order to steal information, and they can only steal it from one user at a time. Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small. The information they can access isn't particularly valuable given there's no complete payment data or especially sensitive personal information stored in the cache. If you've logged into Twitter ads or analytics from a device that's used by other people, there's a chance that information could be stolen. Ads and analytics users should be on the lookout for targeted phishing emails from Twitter or a related company, and be sure to clear their browser caches.  Read Less
June 24, 2020
Mark Bower
Senior Vice President
comforte AG
The likely culprit here is human error, but it illustrates the frailty of modern, dynamic environments to just one or two configurations that can lead to potential catastrophe. While the data exposed here is limited in nature, it’s a timely reminder that organizations capturing personal data need to examine the complete data lifecycle risks and implement protective and operational controls that limit its exposure end to end.
June 24, 2020
Rusty Carter
Vice President
Digital.ai
Twitter stored personal and financial information in the browser… this is a long known bad practice that should never have occurred, and it is hard to understand how a company that makes its business in web software and services could allow this to happen. The kill chain for this negligent exposure of PII goes way back through their development, security review, and release process and could/should have been caught multiple places before making it out to the public. While Twitter is.....Read More
Twitter stored personal and financial information in the browser… this is a long known bad practice that should never have occurred, and it is hard to understand how a company that makes its business in web software and services could allow this to happen. The kill chain for this negligent exposure of PII goes way back through their development, security review, and release process and could/should have been caught multiple places before making it out to the public. While Twitter is highlighting the use-case of a shared computer (more accurately shared browser instance/device “user”), the potential risk of locally cached (and unencrypted data) is much broader, and includes the potential for malicious websites and malware to exfiltrate the data from the browser. This is where attacks have been increasing as malware developers can use vulnerabilities in browsers, web technologies, and software supply chains (like magecart) to harvest valuable information from unsuspecting end-users.  Read Less
June 25, 2020
Justin Fier
Director of Cyber Intelligence & Analytics
Darktrace
As one of the industry's best-known brands, Twitter's security incident might come as a surprise for companies but should serve as much-needed wake-up call. Many companies implicitly trust platforms like Twitter, Twitter Ads and Twitter Analytics to fit together perfectly but the reality is they are run by different teams and stakeholders, while also trying to balance complex digital supply chains. Just one small mistake in the code anywhere across the platform can result in major.....Read More
As one of the industry's best-known brands, Twitter's security incident might come as a surprise for companies but should serve as much-needed wake-up call. Many companies implicitly trust platforms like Twitter, Twitter Ads and Twitter Analytics to fit together perfectly but the reality is they are run by different teams and stakeholders, while also trying to balance complex digital supply chains. Just one small mistake in the code anywhere across the platform can result in major vulnerabilities for millions of users. This incident appears to be a case of human error and has left an unknown number of advertisers' personal data vulnerable to unauthorized access, including their credit card details, phone numbers, and email addresses. To protect themselves, companies must remember that trusting big brand names is not enough. Good cyber hygiene should be the first line of defense. Simple steps like evaluating what data is safe to store in the web browser, like frequently used images, and which should never be stored, like billing details, will help companies take some level of control. Secondly, gaining visibility into the company's network is critical. Companies are increasingly embracing AI, which can provide full, real-time visibility into everything happening on the network and shut down potential cyberattacks before they happen.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.