[BreachExchange] Twitter says Vine users’ emails and phone numbers were exposed for a day, but weren’t misused

Inga Goddijn inga at riskbasedsecurity.com
Sun May 21 23:01:22 EDT 2017


Twitter is alerting
<https://medium.com/@vine/fixing-a-bug-in-the-vine-archive-47385e44ac2> Vine
users of a bug that exposed their email addresses and, in some cases, phone
numbers to third parties. It’s also advising affected users to be cautious
about any emails from unknown senders as a result. The company says the bug
was only active for 24 hours before being patched, and doesn’t believe that
the data was misused in any way, at this time.

To be clear, Twitter was not hacked nor is this considered a data breach –
instead, the email address or phone number the company had on file for some
Vine users was only available under certain circumstances, the company says.

The company declined to officially comment on the specifics of how the bug
was discovered or how it may have been seen by third parties, but we
understand that this data was not published on the Vine archive website
where anyone on the public internet could have seen it. Instead, if anyone
was to have seen the data at the time of exposure, they would have had to
do so through a more technical means – such as using an API to pull the

Twitter is only alerting users out of a desire to be transparent in
disclosing the vulnerability, not because they believe that anyone actually
captured the user data or misused it in any way.

In addition, Twitter says that the exposed emails or phone numbers would
not have allowed a third party to access someone’s Vine account because
passwords were not exposed as a part of this incident.

Emails are now going out to affected users, and will be personalized in
terms of whether the user had only their email, only their phone number, or
both exposed during the time the vulnerability was live.

Twitter declined to how many users or what percentage of the Vine user base
was impacted.

We understand that this issue would *not* have affected Twitter users who
didn’t also have Vine accounts, though.

Once a fairly popular social app, Vine was effectively shut down
the beginning of the year, but the company continues to maintain an online
archive of Vine videos
a basic utility for those users who want to still make short, looping video

However, the fact that these resources remain online even when Vine is no
longer a priority for the company means there’s still potential for things
like this security incident to occur. Despite Twitter’s obvious interest in
keeping the archive available for the Vine users and fandom, it may have
been better for Twitter to have fully shuttered the site so engineering
resources wouldn’t have to be diverted to its ongoing maintenance.

Twitter says users do not need to reset passwords on their Vine accounts,
but should be aware that any official communications from Vine will come
from an @twitter.com email address. Twitter will also never ask you via
email to open an attachment or request your password, it says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170521/7c56274f/attachment.html>

More information about the BreachExchange mailing list