[BreachExchange] Twitter apologizes for leaking businesses’ financial data

Destry Winant destry at riskbasedsecurity.com
Thu Jun 25 10:34:28 EDT 2020


 Twitter apologized on Tuesday for sticking business clients’ billing
information into browser cache – a spot where the uninvited could have
had a peek, regardless of not having the right to see it.

In an email to its clients, Twitter said it was “possible” that others
could have accessed the sensitive information, which included email
addresses, phone numbers and the last four digits of clients’ credit
card numbers. Any and all of that data could leave businesses
vulnerable to phishing campaigns and business email compromise (BEC) –
a crime that the FBI says is getting pulled off by increasingly
sophisticated operators who’ve grown fond of vacuuming out payrolls.

Mind you, Twitter hasn’t come across evidence that billing information
was, in fact, compromised.

On 20 May, Twitter updated the instructions that Twitter sends to
browser cache, thereby putting a stopper in the leak. The two affected
platforms are ads.twitter.com or analytics.twitter.co. If you viewed
your billing information on either platform before 20 May, your
billing information may have gotten stuck in browser cache.

Browser-sharers take heed

Twitter said that if you used a shared computer during that time,
someone who used the computer after you may have seen the billing
information stored in the browser’s cache. The company notes that most
browsers generally store data in their cache by default for a short
period of time – say, 30 days.

What to do?

Twitter recommends that those who use a shared computer to access
Twitter Ads or Analytics billing information should clear the browser
cache when they log out.

Twitter’s mea culpa

Whoops, Twitter said:

We’re very sorry this happened. We recognize and appreciate the trust
you place in us, and are committed to earning that trust every day.

The company didn’t say how many accounts were affected.

If you’ve got questions, Twitter says you can write to its Office of
Data Protection, here.

Not the first flub

This isn’t the first time that Twitter’s stumbled with account security.

In May 2018, we got a warning from Twitter admitting that the company
had made a serious security blunder: it had been storing unencrypted
copies of passwords. That’s right: plaintext passwords, saved to disk.

You’re reading Naked Security, so there’s a good chance you already
know that plaintext passwords are an acutely bad idea.

“With Sophos we’ve had zero ransomware infections”
Start a 30 day free trial of Sophos Intercept X Endpoint in less than 2 minutes.
Download a free trial

A few years prior to that, in June 2016, Twitter locked out some users
after nearly 33 million logins went up for sale. The thievery was
credited to a well-known hacker and dark-web seller: a Russian actor
known by the handle Tessa88. Twitter said at the time that its systems
hadn’t been breached and that the logins may have come from other
password leaks.

That’s a whole lot of leaked passwords and about 33 million reasons to
repeat the “use a unique, strong password” mantra. Need a real bruiser
of a password? Here’s how to pick a strong password.

Ixnay on the password reuse, too, of course. That’s where a password
manager comes in handy.

Do all that to protect your credentials, wipe browser cache if you’re
potentially affected by this browser cache storage glitch, and stay

More information about the BreachExchange mailing list