Twitter Is “Very Sorry” That Your Sensitive Data Has Been Exposed (Again)

By Bill Toulas / June 24, 2020

Twitter has discovered that the billing information of some users who had registered for “Twitter Ads” and “Twitter Analytics” has been exposed, but the chances of the information having been compromised are low. The social media company figured that some of the user data were kept in the browser’s cache, so someone could have potentially accessed it. The information includes email addresses, phone numbers, and the last four digits of the user’s credit card numbers. While not entirely catastrophic, these are all sensitive details that should have been adequately protected by the platform.

The message that Twitter sent out to the possibly affected individuals and businesses was the following:

“We are writing to let you know of a data security incident that may have involved your personal information on ads.twiter and analytics.twitter. We became aware of an issue that meant that prior to May 20, 2020, if you viewed your billing information on ads.twitter or analytics.twitter the billing information may have been stored in the browser's cache. Examples of that information include email address, phone number, last four digits of cour credit card number.”

The platform hasn’t determined the exact number of accounts that have been exposed in this incident, as a detailed write-up on the Twitter Privacy blog hasn’t been published yet (and may never appear). The problem is now fixed, but this is the same assurance that was given the last time that something like that happened. Back in April 2020, Twitter had a similar cache data retention problem with Mozilla Firefox users, which was apparently under active exploitation at the time of its discovery. Twitter is a big platform, and malicious actors are looking deeply to find these flaws, scanning everything 24/7. Thus, it would be safe to assume that if your data could be scraped, it got scraped.

If you are managing a valuable Twitter account, the disclosure of your phone number could be catastrophic. SIM swap actors would now know what number they need to port on their cards, so change your two-factor authentication method immediately. Phishing attempts that arrive via SMS would also be likely. They could even leverage this very security incident as an excuse to convince you to follow fake “secure your account” webpages, so be watchful and monitor your account activity frequently. As for the last four digits of your credit card, these would be mostly worthless for direct exploitation but could be used to give credibility to phishing messages instead.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: