Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Twitter Alerts Business Users of Billing Information Exposure

Twitter has started informing business customers that their billing information may have been exposed in what the company has described as a “data security incident” affecting its ads and analytics services.

Twitter has started informing business customers that their billing information may have been exposed in what the company has described as a “data security incident” affecting its ads and analytics services.

In an email sent to impacted customers, Twitter said the issue involved personal information on and The social media giant explained that billing information viewed on these domains may have been cached by web browsers.

“If you used a shared computer, it is possible that if someone used the computer after you they could have seen the information stored in the browser’s cache,” Twitter told customers, clarifying that cached data is typically stored for a limited time, such as 30 days.Twitter exposed information of business customers

The company said the exposed information included email addresses, phone numbers, billing addresses, and the last four digits of payment card numbers, but expiration dates, full card numbers or security codes were not impacted.

Twitter addressed the issue on May 20 and claims that there is no evidence to suggest that any information was actually compromised.

“While we have no evidence that your billing information was compromised, we want to make sure you’re aware of the issue and how to protect yourself going forward. If you currently use a shared computer to access your Twitter Ads or Analytics billing information, we recommend clearing the browser cache when you log out,” Twitter said in its email.

This is not the first time Twitter has disclosed a security issue related to data cached by browsers. The social media firm informed users in early April that their personal information may have been exposed due to the way Firefox stored cached data, including direct messages and the downloaded data archive.

“Browser cookies are a double edged sword,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. “While they can help simplify the process of identifying a user and their preferences, they shouldn’t be a proxy for a database.”

Mackey added, “In this case, it appears the development team for Twitter Business stored sensitive information in browser cookies, and turned their browser cookies into a cache of database information. Not only does this presume that the user will always use the same device when accessing their Twitter Business account, but it also presumes the user has only one device since changes in information like updated billing information can’t possibly be sent to the browser cache of all devices when data updates happen. The better way to handle sensitive information is to only request it from a secured data store as needed and then ensure local copies of the data aren’t created which could be left behind.”

Twitter has disclosed several security issues over the past years, including related to the Android app exposing protected tweets, the use of account security information for advertising, an API vulnerability exploited to match usernames to phone numbers, direct messages being exposed to third-party developers, and the Android app allowing hackers to obtain sensitive data and hijack accounts.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.