Connect with us

Hi, what are you looking for?


Data Protection

Twitter Alerts Business Users of Billing Information Exposure

Twitter has started informing business customers that their billing information may have been exposed in what the company has described as a “data security incident” affecting its ads and analytics services.

Twitter has started informing business customers that their billing information may have been exposed in what the company has described as a “data security incident” affecting its ads and analytics services.

In an email sent to impacted customers, Twitter said the issue involved personal information on and The social media giant explained that billing information viewed on these domains may have been cached by web browsers.

“If you used a shared computer, it is possible that if someone used the computer after you they could have seen the information stored in the browser’s cache,” Twitter told customers, clarifying that cached data is typically stored for a limited time, such as 30 days.Twitter exposed information of business customers

The company said the exposed information included email addresses, phone numbers, billing addresses, and the last four digits of payment card numbers, but expiration dates, full card numbers or security codes were not impacted.

Twitter addressed the issue on May 20 and claims that there is no evidence to suggest that any information was actually compromised.

“While we have no evidence that your billing information was compromised, we want to make sure you’re aware of the issue and how to protect yourself going forward. If you currently use a shared computer to access your Twitter Ads or Analytics billing information, we recommend clearing the browser cache when you log out,” Twitter said in its email.

This is not the first time Twitter has disclosed a security issue related to data cached by browsers. The social media firm informed users in early April that their personal information may have been exposed due to the way Firefox stored cached data, including direct messages and the downloaded data archive.

“Browser cookies are a double edged sword,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. “While they can help simplify the process of identifying a user and their preferences, they shouldn’t be a proxy for a database.”

Advertisement. Scroll to continue reading.

Mackey added, “In this case, it appears the development team for Twitter Business stored sensitive information in browser cookies, and turned their browser cookies into a cache of database information. Not only does this presume that the user will always use the same device when accessing their Twitter Business account, but it also presumes the user has only one device since changes in information like updated billing information can’t possibly be sent to the browser cache of all devices when data updates happen. The better way to handle sensitive information is to only request it from a secured data store as needed and then ensure local copies of the data aren’t created which could be left behind.”

Twitter has disclosed several security issues over the past years, including related to the Android app exposing protected tweets, the use of account security information for advertising, an API vulnerability exploited to match usernames to phone numbers, direct messages being exposed to third-party developers, and the Android app allowing hackers to obtain sensitive data and hijack accounts.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...