It has been reported that Twitter has detailed a serious “security incident” on the billing information of businesses using the social media giant.
In a message to business owners on the platform, Twitter reported a data breach while using its advertisement and analytics platform. This meant that prior to May 20, 2020 certain details would be stored within a web browser’s cache. Web cache is whereby documents or information of the pages a user has visited are stored on the web browser. In a message to sent to business owners on the platform, Twitter said: “We are writing to let you know of a data security incident that may have involved your personal information on ads.twitter and analytics.twitter.
“We became aware of an issue that meant that prior to May 20, 2020, if you viewed your billing information on ads.twitter or analytics.twitter the billing information may have been stored in the browser’s cache. Examples of that information include, email address, phone number, last four digits of your credit card number.”
As one of the industry\’s best-known brands, Twitter\’s security incident might come as a surprise for companies but should serve as much-needed wake-up call. Many companies implicitly trust platforms like Twitter, Twitter Ads and Twitter Analytics to fit together perfectly but the reality is they are run by different teams and stakeholders, while also trying to balance complex digital supply chains. Just one small mistake in the code anywhere across the platform can result in major vulnerabilities for millions of users. This incident appears to be a case of human error and has left an unknown number of advertisers\’ personal data vulnerable to unauthorized access, including their credit card details, phone numbers, and email addresses.
To protect themselves, companies must remember that trusting big brand names is not enough. Good cyber hygiene should be the first line of defense. Simple steps like evaluating what data is safe to store in the web browser, like frequently used images, and which should never be stored, like billing details, will help companies take some level of control. Secondly, gaining visibility into the company\’s network is critical. Companies are increasingly embracing AI, which can provide full, real-time visibility into everything happening on the network and shut down potential cyberattacks before they happen.
Twitter stored personal and financial information in the browser… this is a long known bad practice that should never have occurred, and it is hard to understand how a company that makes its business in web software and services could allow this to happen. The kill chain for this negligent exposure of PII goes way back through their development, security review, and release process and could/should have been caught multiple places before making it out to the public.
While Twitter is highlighting the use-case of a shared computer (more accurately shared browser instance/device “user”), the potential risk of locally cached (and unencrypted data) is much broader, and includes the potential for malicious websites and malware to exfiltrate the data from the browser. This is where attacks have been increasing as malware developers can use vulnerabilities in browsers, web technologies, and software supply chains (like magecart) to harvest valuable information from unsuspecting end-users.
It is clear from this breach that large companies, such as Twitter, are still finding it more than difficult to prevent breaches and keep their customers’ data safe. This seems to be becoming an all too common theme, with several organisations admitting to compromises in security recently. Our recent study, titled State of Email Security, found that 29% of UK businesses have lost data due to lack of cyber resilience preparedness. These data breaches could be prevented if the best security practices were followed by organisations. Customers that give their data expect it to be looked after and failing to do so can have very serious implications for organisations. The reputational damage can be extreme, with many customers unwilling to do business with an organisation that has experienced such an incident.
This particular breach is worrying because it appears that financial details were compromised, including email addresses, phone numbers, and the last four digits of clients\’ credit card numbers. These details can be used for future fraud and I would strongly recommend that anybody impacted, looks at changing their credit card immediately.
While we don\’t know for sure if the \”data breach\” was due to actions on the part of hackers or simply due to bad programming by developers, the Twitter cache issue underscores the importance of users not relying on websites to protect their privacy. I strongly recommend users set their browsers to delete their cache when shutting down or restarting the browser. While clearing cache files will cause websites to load more slowly after you restart your browser, the security advantages easily outweigh this minor inconvenience.
Twitter\’s data security incident is relatively minor in both scope and severity. It only affects Twitter users who use the ads and analytics services, which is a small fraction of all Twitter users. Furthermore, an attacker needs access to the user\’s browser in order to steal information, and they can only steal it from one user at a time. Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small. The information they can access isn\’t particularly valuable given there\’s no complete payment data or especially sensitive personal information stored in the cache. If you\’ve logged into Twitter ads or analytics from a device that\’s used by other people, there\’s a chance that information could be stolen. Ads and analytics users should be on the lookout for targeted phishing emails from Twitter or a related company, and be sure to clear their browser caches.