Story image

Twitter suspects state-sponsored ties to support forum breach

19 Dec 2018

One of Twitter’s support forums was hit by a data breach that may have ties to a state-sponsored attack, however users' personal data was exposed.

The support forum is dedicated to account holders who are having issues with their account and need to contact Twitter.

Twitter began working on a fix for the breach on November 15 and was promptly fixed by November 16. The breach allowed the attackers to discover the country code of Twitter users’ phone numbers - if a number was associated with their account.  

Attackers could also find out if users’ accounts had been locked by Twitter. Twitter does this when an account appears to violate the company’s rules or terms of service.

“Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter states.

The company also says it has been investigating where the attack came from and its background so users are well informed.

“During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors.”

The company says it remains committed to full transparency and it has notified law enforcement about its research. Its biannual Twitter Transparency Report published trends in a number of areas, including platform manipulation, information requests, email privacy, and removal requests.

“No action is required by account holders and we have resolved the issue,” Twitter writes.

The company has also set up a data protection inquiry form for users who have questions or concerns. The form provides a secure form for users to contact Twitter’s data protection officer, Damien Kieran. 

This is not the first time Twitter has been caught up in a data breach – although most of them were its own fault.

In May 2018, a bug exposed Twitter users’ passwords that were stored in plain text in an internal log. The company encouraged all Twitter users to change their passwords.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” CTO Parag Agrawal wrote in May. 

Just four months later, Twitter’s Account Activity API allowed third party developers to accidentally expose user activity data including direct messages and protected tweets. The bug affected less than 1% of Twitter users, however it remained at large for more than a year from May 2017 to September 2018.

Twitter apologises for the latest breach.

“We recognise and appreciate the trust you place in us, and are committed to earning that trust every day. We are sorry this happened.”

Huawei talks P Series history - and drops hints on the P30
Next week will see the covers come off the new Huawei P30 Series at a special launch event held at the Paris Convention Center.
Hands-on review: Xiaomi’s Mi Mix 3 and the Amazfit Bip
You’ll probably be sad to see another device say ‘farewell’ to the 3.5mm headphone jack. Fortunately though, as mentioned, Xiaomi were kind enough to include an adapter in the box.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."
Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Instagram: The next big thing in online shopping?
This week Instagram announced a new feature called checkout, which allows users to buy products they find on Instagram.
Google's Stadia: The new game streaming platform intertwined with YouTube
Move over Steam, Uplay, Origin and all the other popular gaming platforms – Google has thrown its hat in the ring and entered the game streaming market.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
How AI can transform doodles into photorealistic landscapes
The tool leverages generative adversarial networks, or GANs, to convert segmentation maps into lifelike images.