Twitter has messaged its business clients to inform them that their personal information may have been compromised in a “data security incident”.
An issue with the way Twitter cached data on web browsers meant the personal information of customers' with the social media company's advertising or analytics platforms may have been locally accessed by third-parties.
Prior to 20 May, the company revealed, if business customers accessed their billing information, the data on this page would have been improperly stored in the cache of their internet browser.
The potentially exposed information included email addresses, phone numbers, and the last four digits of users’ payment card as well as the billing address. The exposed information did not include complete card numbers, expiration dates or security codes.
Most internet browsers normally storing data in their cache for a short period like 30 days, although this is more than enough time for somebody to have inadvertently accessed the details customers viewed on Twitter. This is particularly true for shared or public devices.
“On May 20, 2020, we updated the instructions that Twitter sends to your browser’s cache to stop this from happening,” the company wrote in a message to customers.
“While we have no evidence that your billing information was compromised, we want to make sure you aware of the issue and how to protect yourself going forward. If you currently use a shared computer to access your Twitter Ads or Analytics billing information, we recommend clearing the browser cache when you log out.”
The company has apologised for the incident, stressing it recognises the trust customers place in the platform.
Twitter has previously been at the heart of several major security incidents, including most recently in August 2019 when the company found an issue in its privacy settings that may have led to user data being inadvertently shared with third-parties.
Users who clicked or viewed an ad on the app from May 2018 may have accidentally shared data with its third-party measurement and advertising partners, even if permission hadn’t been granted.
In May 2018, meanwhile, Twitter told 330 million users to change their passwords after some were exposed in plain text over its internal network. This was due to a but which caused the passwords to be stored on a computer log before a hashing process was completed.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
PyPI attack: Targeting of repository 'shows no sign of stopping'News Greater collaboration and understanding of attackers’ tactics is key to mitigating open source security threats
-
Capita's handling of cyber attack shows companies still fail at breach reportingAnalysis Capita initially told customers there was “no evidence” of data having been compromised in the March cyber attack
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
-
Cyber security suffers from a communication problemNews Negative language around ‘human failures’ is eroding trust between security teams and broader business functions - it has to stop
-
Does LastPass really deserve a last chance?Opinion After several disastrous security incidents and a communications breakdown, it’s time to leave LastPass for pastures new
-
What is the spell-jacking vulnerability and how can your business avoid exposing data?
In-depth Spell-jacking vulnerabilities are threatening to unwittingly leak data to third parties, undermining any drive to protect privacy
