We have all heard of and probably use Twitter. Everyone recognizes the corporate logo and symbol. While there have been other social media outlets, Twitter has stayed the course and continues to be a social media giant.
Recently, Twitter had an issue with a breach, aka “data security incident” in corporate speak. The problem was detected by Twitter on May 20, 2020.
This did not affect all of the users, which would have been a disaster and epic fail. This only affected the business users who paid for advertisements on the platform, using Twitter Ads and Analytics Manager.
The data involved was not critical, however, should not have been leaked. This included the business user’s email address, billing address, phone numbers, and the last four digits of their credit card numbers. This could have been much worse for the clients if more of the information, including full credit card numbers, would have been included. What further limits the issue is the attacker would require access to the user’s browser to steal this information. This would have to occur one user at a time with the attacker physically sitting at each machine. With the full method to retrieve the data, this attack, while an issue, is practical in very limited circumstances. If retrieving the data was much easier on a grander scale and more confidential information was available, the story would be totally different.
In this day and age of continued data loss, seemingly there would be a data leakage program in place to check systems, configurations, and just about everything else to ensure, as much as you can, that this does not happen. Unfortunately, there was an issue. If the business were to check their billing information on ads.twitter.com or analytics.twitter.com, which would not be that unusual, the data was stored in the browser’s cache. While this is not the end of the world for the affected parties, it should probably be treated as more of a teachable learning experience. The future employees know not to allow this, and this provides a real-life example of what can happen if you let this go.
Clearly, this is a problem. Once Twitter detected the issue, they did resolve it. Twitter needed to update their headers to set to no-store and no-cache. This would in effect disable the data from being stored locally at the machine. One issue with this, other than the configuration allowed this, was the timing. This was detected by Twitter on May 20, 2020. This was not reported to the users for more than a month. While the data leakage issue was limited, as noted, this really should have not taken a month to resolve notify the affected parties.
Adhikari, R. (2020, June 24). Twitter apologizes for data security incident. Retrieved from https://www.technewsworld.com/story/86726.html
Admin1. (2020, June 26). Twitter suffered a major data breach-but this is why you’re probably safe. Retrieved from https://marijuanapy.com/twitter-suffered-a-major-data-breach-but-this-is-why-youre-probably-safe/
Financial Press. (2020, June 25). Twitter hack: Social media giant suffers ‘huge’ billing information data breach. Retrieved from https://financial-press.uk/2020/06/23/twitter-hack-social-media-giant-suffers-huge-billing-information-data-breach-world-news/
Ians. (2020, June 24). Twitter sorry for data breach involving business clients. Retrieved from https://kalingatv.com/technology/twitter-sorry-for-data-breach-involving-business-clients/
Jay, J. (2020, June 23). Twitter says business users’ data leaked in security fiasco. Retrieved from https://www.teiss.co.uk/twitter-says-business-users-data-leaked-in-security-fiasco/
McLoughlin, B. (2020, June 23). Twitter hack: Social media giant suffers ‘huge’ billing information data breach. Retrieved from https://www.express.co.uk/news/world/1299728/Twitter-data-breach-hack-latest-billing-information-twitter-business-update-twitter-search
McLoughlin, B., & Wilson, R. (2020, June 23). Twitter businesses’ billing information is hacked in data breach. Retrieved from https://www.examinerlive.co.uk/news/uk-world-news/twitter-businesses-billing-information-hacked-18471270
Riley, D. (2020, June 23). Twitter apologizes after exposing business customer information. Retrieved from https://siliconangle.com/2020/06/23/twitter-apologizes-exposing-business-customer-information/
Security Experts. (2020, June 24). Twitter suffers billing information data breach. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/comment-twitter-suffers-billing-information-data-breach/
Sharma, A. (2020, June 24). Twitter discloses billing info leak after ‘data security incident’. Retrieved from https://news.knowledia.com/IN/en/articles/twitter-discloses-billing-info-leak-after-data-security-incident-1dc82af759dc4c7451ea428b26c622dc5f438e6e
Techradar.com (2020, June 26). Twitter suffered a major data breach-but this is why you’re probably safe. Retrieved from https://www.thetechstreetnow.com/tech/twitter-suffered-a-major-data-breach--but-this-is-why-youre-probably-safe/10326781581085137573/10326781581085137573/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!