Twitter has started informing business customers that their billing information may have been exposed in what the company has described as a “data security incident” affecting its ads and analytics services.
In an email sent to impacted customers, Twitter said the issue involved personal information on analytics.twitter.com and ads.twitter.com. The social media giant explained that billing information viewed on these domains may have been cached by web browsers.
“If you used a shared computer, it is possible that if someone used the computer after you they could have seen the information stored in the browser’s cache,” Twitter told customers, clarifying that cached data is typically stored for a limited time, such as 30 days.
The company said the exposed information included email addresses, phone numbers, billing addresses, and the last four digits of payment card numbers, but expiration dates, full card numbers or security codes were not impacted.
Twitter addressed the issue on May 20 and claims that there is no evidence to suggest that any information was actually compromised.
“While we have no evidence that your billing information was compromised, we want to make sure you’re aware of the issue and how to protect yourself going forward. If you currently use a shared computer to access your Twitter Ads or Analytics billing information, we recommend clearing the browser cache when you log out,” Twitter said in its email.
This is not the first time Twitter has disclosed a security issue related to data cached by browsers. The social media firm informed users in early April that their personal information may have been exposed due to the way Firefox stored cached data, including direct messages and the downloaded data archive.
“Browser cookies are a double edged sword,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. “While they can help simplify the process of identifying a user and their preferences, they shouldn’t be a proxy for a database.”
Mackey added, “In this case, it appears the development team for Twitter Business stored sensitive information in browser cookies, and turned their browser cookies into a cache of database information. Not only does this presume that the user will always use the same device when accessing their Twitter Business account, but it also presumes the user has only one device since changes in information like updated billing information can’t possibly be sent to the browser cache of all devices when data updates happen. The better way to handle sensitive information is to only request it from a secured data store as needed and then ensure local copies of the data aren’t created which could be left behind.”
Twitter has disclosed several security issues over the past years, including related to the Android app exposing protected tweets, the use of account security information for advertising, an API vulnerability exploited to match usernames to phone numbers, direct messages being exposed to third-party developers, and the Android app allowing hackers to obtain sensitive data and hijack accounts.
