Twitter has admitted to a data security incident that resulted in business users’ billing information getting stored in the browser’s cache and possibly being accessed by those using shared computers.
The social media giant revealed that the data security incident affected only business users who paid for advertisements on the platform. If a business user checked their billing information on ads.twitter.com or analytics.twitter.com, the information was erroneously stored in the browser’s cache.
“We became aware of an incident where if you viewed your billing information on ads.twitter.com or analytics.twitter.com the billing information may have been stored in the browser’s cache,” the company told Tech Crunch.
“As soon as we discovered this was happening, we resolved the issue and communicated to potentially impacted clients to make sure they were aware and informed on how to protect themselves moving forward.”
The data leak was discovered by Twitter on 20th May, following which the company reached out to business users to advise them about the incident. Information leaked due to the fiasco included business users’ email addresses, phone numbers, and the last four digits of their credit card numbers.
Commenting on the data security incident, Paul Bischoff, Privacy Advocate at Comparitech.com, said that the incident was relatively minor in both scope and severity. “It only affects Twitter users who use the ads and analytics services, which is a small fraction of all Twitter users. Furthermore, an attacker needs access to the user’s browser in order to steal information, and they can only steal it from one user at a time.”
“Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small. The information they can access isn’t particularly valuable given there’s no complete payment data or especially sensitive personal information stored in the cache,” he added.
David Kennefick, product architect at Edgescan, also said that the data security incident shouldn’t worry users much as access to the leaked information requires physical access to the device, so it may not be as exploitable as an alert like this might indicate.
“What Twitter have done is update their headers to include no-store and no-cache, which disables storing data from a website locally. Overall, not really an incident worth worrying about,” he added.
This isn’t the first time that an internal error by Twitter has resulted in the leakage of user data. In September 2018, Twitter said that a bug in its API was sending direct messages to the wrong users. This meant that if a user used Twitter’s Account Activity API (AAAPI) to communicate with customers, their DMs were exposed to the wrong users during the sixteen-month period when AAAPI was active.