Concern expressed as Twitter emails business clients to admit personal data such as email addresses have potentially now been compromised.
Billing information for some clients that was stored in a browser’s cache may have been compromised, Twitter’s email went on to say.
Further, it was “possible” that the personal information, such as email addresses, phone numbers & the last 4 digits of clients’ credit card numbers, could have been accessed by others.
Twitter said it was ‘very sorry’ & added there was ‘no evidence’ that clients’ billing information was in any way compromised.
They became aware of the issue, which has since been fixed, on May 20.
The scope of the vulnerability affected businesses using Twitter’s analytics & analytics platforms, & it is unclear as to the number companies affected.
Back in 2018, the company asked its users to change passwords after an internal leak.
Dr Francis Gaffney, Director of Threat Intelligence at Mimecast explained that this particular breach is highly worrying because it seems that financial details were compromised, including email addresses, phone numbers, & the last 4 digits of clients’ credit card numbers.
Gaffney observed these could be used for future fraud, & strongly recommended that anybody impacted, looks at changing their credit card immediately.
He went on to say, “It is clear from this breach that large companies, such as Twitter, are still finding it more than difficult to prevent breaches & keep their customers’ data safe. This seems to be becoming an all too common theme, with several organisations admitting to compromises in security recently.
“Our recent study, titled State of Email Security, found that 29% of UK businesses have lost data due to lack of cyber resilience preparedness. These data breaches could be prevented if best security practices were followed by organisations.
“Customers that give their data expect it to be looked after and failing to do so can have very serious implications for organisations. The reputational damage can be extreme, with many customers unwilling to do business with an organisation that has experienced such an incident.”
Paul Bischoff, Privacy Advocate at Comparitech.com, observed “Twitter’s data security incident is relatively minor in both scope & severity. It only affects Twitter users who use the ads & analytics services, which is a small fraction of all Twitter users.
“Furthermore, an attacker needs access to the user’s browser in order to steal information, & they can only steal it from one user at a time. Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small.
The information they can access is not particularly valuable given there’s no complete payment data or especially sensitive personal information stored in the cache.
“If you have logged into Twitter ads or analytics from a device that is used by other people, there’s a chance that information could be stolen. Ads & analytics users should be on the lookout for targeted phishing emails from Twitter or a related company & be sure to clear their browser caches.”
Flavius Plesu, Founder & CEO of Out Think explained that though the extent of the breach is as yet unknown, the data that has been accessed is valuable to hackers & can be used for a no. of future applications.
Plesu observed “The exact methodology of the breach is unclear at present, but data accessed in a browser cache is highly likely to have been down to human error. But, if this is the case, I hope lessons are learned from the breach & it doesn’t become another case of companies blaming their users for their own shortcomings.”
Plesu then added that the cybersecurity industry should stop holding users to account for data breaches.
He further explained: “It isn’t the user that is to blame, but failure of security processes & security that doesn’t work for people doesn’t work. We have seen many times in the past that users will circumvent security that hinders their productivity, & you can blame them for this – security should not be a blocker to productivity, but an enabler.
“We need to have conversations with users about security processes & find out what works for them, what doesn’t and any risky behaviour they exhibit.
Then security has to be tailored to each individual’s needs, otherwise, they will simply ignore security & get on with their jobs.”
David Kennefick, Product Architect at Edgescan, commented that it was good that Twitter has taken ‘ownership’ of the breach though he thought the response seemed a “little excessive”.
Kennefick suggested that, “The vector here requires physical access to the device, so it may not be as exploitable as an alert like this might indicate. What Twitter has done is update their headers to include no-store and no-cache, which disables storing data from a website locally. Overall, not really an incident worth worrying about.”
Craig Young, Senior Security Researcher at Tripwire, further observed that while the vulnerability did not pose a risk for most people using PCs, it was a ”teachable moment” re the risk of shared computers.
Young explained “Whether you regularly rely on libraries or Internet cafes for access or just need to print the occasional boarding pass from a hotel lobby, there can be a risk of exposing personal data. Ideally, the best solution is to simply avoid using shared computers when entering or accessing personal data, but this is not always an option.
The next best solution is to bring your own web browser & take it with you when you go.
“Several popular web browsers have Windows builds designed to be run entirely off a USB flash drive so that sensitive data gets cached to the removable media rather than being left behind for others to find. Another option is to forcibly delete the cache for whatever browser is in use.
Despite these precautions, however, it is important to recognise that malware or physical key loggers on the system will still be effective at undermining security.”
Tim Mackey, Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre), suggested that browser cookies are a ‘double-edged sword’.
Mackey stated “While they can help simplify the process of identifying a user and their preferences, they shouldn’t be a proxy for a database. In this case, it appears the development team for Twitter Business stored sensitive information in browser cookies & turned their browser cookies into a cache of database information.
“Not only does this presume that the user will always use the same device when accessing their Twitter Business account, but it also presumes the user has only one device since changes in information like updated billing information can’t possibly be sent to the browser cache of all devices when data updates happen.
“The better way to handle sensitive information is to only request it from a secured data store as needed & then ensure local copies of the data aren’t created which could be left behind.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, further commented “While we don’t know for sure if the “data breach” was due to actions on the part of hackers or simply due to bad programming by developers, the Twitter cache issue underscores the importance of users not relying on websites to protect their privacy.
“I strongly recommend users set their browser to delete its cache when shutting down or restarting the browser. While clearing cache files will cause websites to load more slowly after you restart your browser, the security advantages easily outweigh this minor inconvenience.”