Twitter emailed business clients to tell them that their financial data may have been seen by the uninvited.
Twitter apologized on Tuesday for sticking business clients’ billing information into browser cache – a spot where the uninvited could have had a peek, regardless of not having the right to see it.
In an email to its clients, Twitter said it was “possible” that others could have accessed the sensitive information, which included email addresses, phone numbers and the last four digits of clients’ credit card numbers. Any and all of that data could leave businesses vulnerable to phishing campaigns and business email compromise (BEC) – a crime that the FBI says is getting pulled off by increasingly sophisticated operators who’ve grown fond of vacuuming out payrolls.
Mind you, Twitter hasn’t come across evidence that billing information was, in fact, compromised.
On 20 May, Twitter updated the instructions that Twitter sends to browser cache, thereby putting a stopper in the leak. The two affected platforms are ads.twitter.com or analytics.twitter.co. If you viewed your billing information on either platform before 20 May, your billing information may have gotten stuck in browser cache.
Browser-sharers take heed
Twitter said that if you used a shared computer during that time, someone who used the computer after you may have seen the billing information stored in the browser’s cache. The company notes that most browsers generally store data in their cache by default for a short period of time – say, 30 days.
What to do?
Twitter recommends that those who use a shared computer to access Twitter Ads or Analytics billing information should clear the browser cache when they log out.
Twitter’s mea culpa
Whoops, Twitter said:
We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.
The company didn’t say how many accounts were affected.
If you’ve got questions, Twitter says you can write to its Office of Data Protection, here.
Not the first flub
This isn’t the first time that Twitter’s stumbled with account security.
In May 2018, we got a warning from Twitter admitting that the company had made a serious security blunder: it had been storing unencrypted copies of passwords. That’s right: plaintext passwords, saved to disk.
You’re reading Naked Security, so there’s a good chance you already know that plaintext passwords are an acutely bad idea.