Another day, another social media platform hacked

Earlier this week, Twitter published a blog post titled “An Incident Impacting Your Account Identity”. 

What happened?

In December 2019, Twitter became aware that “someone” had been able to use fake accounts to leverage an API (used by Twitter itself) to match usernames with their phone numbers.  The API enables users to find others they may already know more easily on the platform, by connecting them to people based on the contacts on their phones.  For the sake of clarity, the API was used exactly as it is built to function, just by the wrong person.

So, who is this someone?  According to Twitter, the large amount of fake accounts appear to come from various countries, but the highest concentration of IP addresses were located in Iran, Israel, and Malaysia.  Therefore, it might be one person using multiple IP addresses, or a group of people.  At this stage, it may even be a bot. Irrespective of who or what is responsible, Twitter thinks there is also a possibility that some of these addresses have ties to state-sponsored actors.  Yikes!

What Twitter had to say?

In the statement, Twitter made some pretty vague comments such as:

“We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.” 

“We are disclosing this out of an abundance of caution and as a matter of principle.”

“Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on stopping abuse of Twitter’s API as quickly as possible.”

“We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

The only thing worse than these veiled apologies is the heading itself, which doesn’t immediately tell you that this was a major data breach.  Not just some “incident”.

Why is this response problematic?

To be honest, the response from Twitter sounds like a high-school lover caught cheating on you who isn’t actually sorry for what they did, or prepared to take any accountability for their part in the process. They really hope you will still go with them to the school dance, but also if you don't want to anymore, they would be very "whatever" about it.

Twitter makes it seem like they are doing their users a massive favour by disclosing the details of the breach, when in fact this disclosure is a legal requirement.  If personal information (phone numbers and email addresses are included in this definition), related to individuals of the European Union (highly likely), the GDPR would require Twitter to notify the supervisory authority in the EU without undue delay and at least within 72 hours of the breach, and to advise users of the compromise to the protection of their personal information.  Similar legislation in other countries place similar requirements on those processing personal information.

Also, this is a data breach, not some downtime of the platform.  If the breach occurred on 24 December 2019, it seems hugely problematic for a public notice only to have been released on 3 February 2020.  Perhaps individual account holders were notified (unlikely), in which case I might eat my words.  If you have information on this and would like to publicly shame me, please do.

The other issue I have is why Twitter chose to put a sneaky notice on a blog page of its own website, which most of its users are unlikely to read consistently.  If a breach is occurring specifically because email addresses and phone numbers are being used on the platform, would it not make more sense for notices via these channels immediately to be sent to those affected?  Alternatively, the platform could have been disabled until the investigation was complete and the issues resolved (Haha – jokes on me).

My view is that it’s obvious why these measures weren’t followed – it is simply not good for business.  This kind of notice was done specifically not to draw too much attention to the incident and skirt around compliance issues.  It’s behaviour that big corporates and especially social media giants (read Facebook) are becoming more known for.

What you should do?

I don’t believe that much is going to change anytime soon on the part of entities using and abusing your personal information, even with the roll out of data protection legislation around the world (well, except South Africa as we still wait for news on POPI).

With those comforting words in mind, what can you do to be proactive about the protection of your personal information?

• If you have already enabled the option that lets Twitter access your phone contacts, you should probably think about disabling that.  Of course, this applies not only to Twitter, but to any other social media platform.  The convenience of finding people to connect with is not worth the risk you place on yourself and every single contact that may or may not want their phone number exposed. Navigate to Settings > Privacy and safety > Discoverability and contacts.  Don’t be surprised when you find these boxes already ticked.

• Consider signing up to these platforms with email only (i.e. no phone number, social media account, Google account).  For bonus points, you could register a “social media only” email address.  Use this as your primary email for your social media platforms.  If (or when) this email address is hacked, your personal content will have much less exposure.  
• Do not use the same password for every single account.  Once upon a time, we were able to remember multiple phone numbers, but now seem to lack the ability to remember much more important things like passwords.  Luckily, there are tools around now that make it easier (looking at you One Key).  But whatever you use (computer or human) just make sure these passwords are different across all your accounts.
• Keep an eye out for social media platforms in the news. It will be highly unlikely that you'll receive a call from customer services or an email telling you when these breaches happen. However, you might catch wind of it in the media (ironically probably on some other social media platform) and you can do a check up of where your security stands.
• Do a social media audit. Take a break from the engagement announcements, selfies, and cat photos on your new feed to actually go in to the privacy and security settings on your accounts. Often social media platforms change the terms of their services and something that you might have unchecked may now be pre-populated. It is ultimately your responsibility to check your settings.

That's all the social media good news for today. Stay safe out there.