Story image

Twitter suspects state-sponsored ties to support forum breach

19 Dec 2018
Twitter
Facebook

One of Twitter’s support forums was hit by a data breach that may have ties to a state-sponsored attack, however users' personal data was exposed.

The support forum is dedicated to account holders who are having issues with their account and need to contact Twitter.

Twitter began working on a fix for the breach on November 15 and was promptly fixed by November 16. The breach allowed the attackers to discover the country code of Twitter users’ phone numbers - if a number was associated with their account.  

Attackers could also find out if users’ accounts had been locked by Twitter. Twitter does this when an account appears to violate the company’s rules or terms of service.

“Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter states.

The company also says it has been investigating where the attack came from and its background so users are well informed.

“During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors.”

The company says it remains committed to full transparency and it has notified law enforcement about its research. Its biannual Twitter Transparency Report published trends in a number of areas, including platform manipulation, information requests, email privacy, and removal requests.

“No action is required by account holders and we have resolved the issue,” Twitter writes.

The company has also set up a data protection inquiry form for users who have questions or concerns. The form provides a secure form for users to contact Twitter’s data protection officer, Damien Kieran. 

This is not the first time Twitter has been caught up in a data breach – although most of them were its own fault.

In May 2018, a bug exposed Twitter users’ passwords that were stored in plain text in an internal log. The company encouraged all Twitter users to change their passwords.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” CTO Parag Agrawal wrote in May. 

Just four months later, Twitter’s Account Activity API allowed third party developers to accidentally expose user activity data including direct messages and protected tweets. The bug affected less than 1% of Twitter users, however it remained at large for more than a year from May 2017 to September 2018.

Twitter apologises for the latest breach.

“We recognise and appreciate the trust you place in us, and are committed to earning that trust every day. We are sorry this happened.”

Story image
20 Aug
NVIDIA's ray tracing graphics are coming to Minecraft
Prepare your pixel spades, because Minecraft is the latest game to get the real-time ray tracing treatment, thanks to NVIDIA and Microsoft.More
Story image
01 Jul
Hands-on review: Corsair HS35 is the complete console gaming headset
The HS35 delivers high-quality sound and voice clarity for gaming on multiple platforms including PC, Xbox One, PS4, Nintendo Switch, and mobile devices, thanks to a universal 3.5mm connection.More
Story image
20 Aug
Streaming service Disney+ coming to NZ – pricing and dates
The services will be another competitor entering the streaming market to compete with the likes of Netflix, Sky’s Neon offering, Lightbox.More
Story image
14 Aug
Logitech showcases the best parts of being a tech junkie
Freshly caffeinated and after the most delicious custard and apple doughnut ever, I ventured to the Logitech Showcase, ready to be inspired. I wasn’t disappointed. More
Story image
19 Aug
Control your appliances with a D-Link mydlink Mini Wi-Fi Smart Plug
The device can be set to turn your TV off when you’re asleep, power on your coffee maker before you wake up, or automatically turn on your living room lamp while you’re on holiday.More
Story image
15 Aug
Know your motive: new research considers the next wave of robots
It's becoming crucial to consider that robots should be able to understand the motive of a task in the same way humans do, as this will enable machines to work more quickly and effectively, however this also indicates a significant shift in the world of robotics.More