Naked Security Naked Security

Twitter apologizes for leaking businesses’ financial data

Twitter emailed business clients to tell them that their financial data may have been seen by the uninvited.

Twitter apologized on Tuesday for sticking business clients’ billing information into browser cache – a spot where the uninvited could have had a peek, regardless of not having the right to see it.
In an email to its clients, Twitter said it was “possible” that others could have accessed the sensitive information, which included email addresses, phone numbers and the last four digits of clients’ credit card numbers. Any and all of that data could leave businesses vulnerable to phishing campaigns and business email compromise (BEC) – a crime that the FBI says is getting pulled off by increasingly sophisticated operators who’ve grown fond of vacuuming out payrolls.
Mind you, Twitter hasn’t come across evidence that billing information was, in fact, compromised.
On 20 May, Twitter updated the instructions that Twitter sends to browser cache, thereby putting a stopper in the leak. The two affected platforms are ads.twitter.com or analytics.twitter.co. If you viewed your billing information on either platform before 20 May, your billing information may have gotten stuck in browser cache.

Browser-sharers take heed

Twitter said that if you used a shared computer during that time, someone who used the computer after you may have seen the billing information stored in the browser’s cache. The company notes that most browsers generally store data in their cache by default for a short period of time – say, 30 days.

What to do?

Twitter recommends that those who use a shared computer to access Twitter Ads or Analytics billing information should clear the browser cache when they log out.

Twitter’s mea culpa

Whoops, Twitter said:

We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.

The company didn’t say how many accounts were affected.
If you’ve got questions, Twitter says you can write to its Office of Data Protection, here.

Not the first flub

This isn’t the first time that Twitter’s stumbled with account security.
In May 2018, we got a warning from Twitter admitting that the company had made a serious security blunder: it had been storing unencrypted copies of passwords. That’s right: plaintext passwords, saved to disk.
You’re reading Naked Security, so there’s a good chance you already know that plaintext passwords are an acutely bad idea.


A few years prior to that, in June 2016, Twitter locked out some users after nearly 33 million logins went up for sale. The thievery was credited to a well-known hacker and dark-web seller: a Russian actor known by the handle Tessa88. Twitter said at the time that its systems hadn’t been breached and that the logins may have come from other password leaks.
That’s a whole lot of leaked passwords and about 33 million reasons to repeat the “use a unique, strong password” mantra. Need a real bruiser of a password? Here’s how to pick a strong password.
Ixnay on the password reuse, too, of course. That’s where a password manager comes in handy.
Do all that to protect your credentials, wipe browser cache if you’re potentially affected by this browser cache storage glitch, and stay safe!