Correct me if I'm wrong, but Twitter knew about this vulnerability back in January, and they either didn't check to see if it was exploited, or they didn't disclose that it was, or they didn't have enough observability/audit controls in place to see 5.4M requests for account data that used this vulnerability?
That seems like gross negligence to me no matter what the reason for that is, but I play in a much smaller pond and maybe I just don't understand that the cost to do things ethically at scale is always greater than cleanup.
> If anyone hasn't noticed by now, social media companies don't care about your privacy.
This is really unfair, of course they protect your personal data... From competitors, so that they can continue renting out access to it - to the highest bidder :)
That could explain Elon Musk’s sudden reversal. I don’t understand his motives for proposing-then-withdrawing (the other theory is that the market crashed and he wanted to halve the price, but he’s a senior, anyone could have guessed that the market was on a downwards trend; another theory is that he didn’t expect such opposition and withdrew seeing that he was seen as the bad guy).
Technically a tweet could form a binding contract, but yes, my point is he publicly announces things, then changes his mind, rather than thinking about if he does actually want to do the thing before wasting everyone's time.
waiting for twitter to change their ToS to include a line "if you announce an offer to buy twitter via twitter then that offer is considered a valid contract."
This isn't the first time Twitter users' PII is on for sale [0]. I think it's legitimate to badmouth this company because—other than their popularity—there's no redeeming quality but a terrible reputation and a massive toxicity and lack of (real) moderation problem. People who like to dox others will have a lot of fun with this database, regardless. And another point in favor of mandatory phone number based verification for online websites, I wonder how long it'll take for us to get past it, a privacy threat for clueless users and a trivial obstacle for bad actors.
What's even more terrible is that if Twitter deems one of your tweet breaks their terms of services (even if incorrectly), they'll ask you to provide some PII and delete the tweet, effectively doxxing yourself in case of a security breach.
From screenshots I've seen from some users this has happened to, the "Delete this Tweet" button they offer you in those circumstances comes with a statement attached saying something to the effect of (paraphrased, but not too far off from the actual text) "Deleting this tweet amounts to an admission that it violates our terms of service" or somesuch similar, basically saying that they're incapable of mistakenly flagging a tweet.
I have considered my Twitter DMs to be 'future public information' for a few years now. Same with Facebook. Likelihood of them all being leaked someday seems to be extremely high. I put a lot more trust in Signal, especially disappearing messages.
The New York Times principle - never send out anything that you couldn't tolerate being published in the New York Times next to your name. All Big Social are covered by this, including "private" messages.
> "Self-censorship is a pretty good idea if you're putting your words in the hands of someone else."
Strangely, this sort of thinking used to be "common knowledge" / "common sense" back before everyone started self-publishing every detail of their private lives on world-wide public forums like Facebook and Twitter…
Amusing side note; The "Grumpy Old Farts" back in the day where I grew up used to refer to "common sense" as "horse sense", and when asked why, they'd respond "Because every horse has it, even if every person don't!"
So much for signing up and adding your phone number. Not really a very clever idea now is it since this attack was able to link people's Twitter IDs with their email addresses and most importantly, their phone numbers.
So if another company had a previous breach somewhere which linked both the email and the phone number and then a physical address came up...
Then it's game, set and they're fully doxxed and that's that.
Also, just one more reason it's not wise to use SMS / phone number as your "second factor" in 2FA (two factor authentication). Always prefer a proper 2FA app or USB key type device over SMS. For a lotta these folks, these "hackers" (and whoever they sell the data to) now have enough information to steal these people's accounts (in many cases not just their Twitter accounts, either, but probably most of their accounts across multiple services).
This is common practice, as a mobile number can be a good signal for determining whether or not an account is a bot; blocking virtual numbers means any would-be fake accounts need to find a dealer for good non-voip numbers, likely increasing the cost of creating these accounts.
Which is so terrible. They're proving again and again that virtual numbers (or generally any proxy for PII) are the only ones that they can be trusted with.
If your justification for requiring non-VOIP numbers is "it decreases the number of bots on the service" and the service is overrun with bots, clearly requiring non-VOIP numbers hasn't done much of anything to decrease the number of bots.
Just because a service isn't overrun with bots already doesn't mean it couldn't be 10x worse to the point where twitter becomes usable if existing mechanism like blocking non-VOIP numbers didn't exist. If they got rid of that constraint I could easily spin up a million bot accounts (captcha bypass is trivial) if I wanted to.
Its an interesting problem, is the real reason to use this as you have to pay to get a phone so is less likely to be a bot. I'd rather use GV or similar and avoid the risk of hacking my phone company account.
I can spend $2 to get a number on a website that will pass anything, including Google itself. Not going to name the site but it's not exactly difficult to locate
if it's the same one i'm thinking of, the number is shared in the sense that you can buy a verification for google while someone else can buy a verification code for twitter on the same number.
iirc they had a guarantee that the number won't be reused for the same service for at least 6 months from order.
They are right, but people really hate to give out their real phone number - especially since they get leaked this way and then abused, so in the end they have the bot problem.
It's entirely correct. Note that the comment doesn't claim it stops all bot traffic, just that it increases the cost of creating fake accounts. Nor does it make any judgment on the morality or efficacy of such measures. People likely downvote such comments because they're reading something into it that isn't actually there.
Trying to justify not letting people do what they can to protect their phone number on an article about a data breach that leaked phone numbers - yeah, you're gonna get downvoted.
Can someone explain to me what all those 7500 employees are doing at twitter? Because I'm totally unimpressed by that.
Whatsapp had 55 employees when it was sold, which sounds about right. But 7.5k for just pushing some data around? GTA was developed by 1000 people, and I mean both programatically and content wise it's way more challenging.
oh gawd. I signed up for twitter back in the day, and foolishly allowed access to my gmail contact list - of course they emailed everyone. And a few friends reached out to shame me (as they should).
they still send a lot of email to that address, but I haven't been able to login for 10 years, maybe more more? I've made a few half hearted attempts. oh well.
I suppose having a jurassic era account is helpful. It was either compromised years ago, or not even twitter can access the data. :shrug:
I'd agree on maybe, but it likely depends on what the Twitter board knew. If the Twitter board knew about it, and thought it had material impact on their company but did not disclose it, it could be considered at least part of the evidence for must saying the board is not being truthful or forthcoming.
I think you're right, at least, that's consistent with Twitter's account of the "whirlwind bargaining session." What I said up there was 100% humor.
In all seriousness, I'm really hoping that Twitter takes Musk down a notch here, and most of the legal maneuvering has filled me with childish glee. Until today, that is. If the twitter board was aware of this, I'm not sure that even signing away diligence would get them off the hook. I'm not a lawyer, so I'm not really sure what to think here
Any proof of material internal knowledge which wasn't disclosed during diligence is completely fair game in a court case like this.
Human beings on juries (or judges) decide these things. If you promise to sell someone a car and don't disclose that a raccoon is living in the seat cushion, it doesn't really matter what you made them sign, you're at risk of an adverse judgement.
Interesting, Twitter $5,040 bounty to the vulnerability reporter. I've heard it said that website vulnerabilities aren't valuable and thus don't merit large bounties. But if a single copy of the database can be sold for $30k (I'm not sure it actually will), then this is a case of a bounty for a website vuln being much too small.
There are a lot of ways to monetize it. Run 2FA attacks on celebrity accounts' phone numbers, dox anon accounts that post racist stuff or follow gay porn and blackmail them, etc etc.
The standard black hat data dump monetization scheme (I have been told) is to just try logging in with the same creds at a bunch of banks. Lots of people reuse passwords and you don’t need that many hits to recoup the money.
I don't think that would work. You only get cancelled if you catch the eye of a social media mob. If it's just some random person complaining that X is a racist then I'd bet X's employer would side with X. "No, trust me - I hacked into Twitter and this anime avatar who says racist things is totally your employee. Hello? Hello?"
You could threaten to call up a random person's employer and call them a racist unless they paid you. Seems as likely to work as this would be.
You would need someone high profile enough to get the attention of a social media mob to really threaten people.
It took one tweet from a random user (@fionafranfeld) to get bodega bro cancelled from his tech job in New York at @outreach_io https://youtu.be/gIraad4RrRw?t=190
You don't need to get the person fired - you need to get them afraid of potentially being fired. Not everyone will do a rational takedown like this, and if they do, you have millions of accounts to dox.
A (protected) tweeter mentioned the existence of this issue in June 2020 without exploit details, and it seemed pretty easy for them to discover, so it's possible that other parties scraped this data as well for over a year.
And yet people still ridicule me as "paranoid" and accuse me of having "trust issues" for using an online pseudonym / "handle" and refusing to trust these corporations with any of the private data that so many of these service want to insist upon collecting these days… As if there's some valid reason why I should trust them with data that they repeatedly prove that they cannot keep safe from exactly this sort of "breach"… I just cannot understand how so many people can keep getting burned by these companies and still somehow manage to trust them with reams of private / personal data.
this is probably how scammers were hacking into accounts to promote crypto scams. you set up some proxies or ec2s to try twitter logins with common passwords but if you fail too many times or wrong country, it will ask for the email. knowing the email or phone bypasses this
Yet another reason why requiring phone numbers for account creation/verification is an awful, user-hostile idea. I've always hated services that do this.
Microsoft did this when I signed up to play Halo Infinite. I had a few hours of play time doing nothing at all suspicious and deleted the game rather than give them my phone number.
Yes, though least it's a free product. Now imagine MS doing the same trick with paying customers who spent at least $30 thinking they'd get to own a copy of Minecraft.
Not only that, but their Android apps all do their very best to convince folks to allow access to their phone's contact list as well. Even more phone numbers for the "All Seeing Eye of Zuckerberg's Giant Database of Everyone™".
One reason many well-meaning security teams want mobiles is that phone numbers "cost" money for (most) attackers to create but do not create much additional burden for (most) legitimate users.
In a sense they are used as a kind of "hashcash" to raise the cost of fake accounts.
You can improve privacy by one-way transforming the number in a way your systems can't undo (eg hmac with a key in hsm configured for enc only, with rate limiting), but naively you lose agility and some useful capability (eg ban accounts with numbers from this range).
> You can improve privacy by one-way transforming the number in a way your systems can't undo (eg hmac with a key in hsm configured for enc only, with rate limiting), but naively you lose agility and some useful capability (eg ban accounts with numbers from this range).
So store two hashes, one being the whole number, another being the number excluding the last 2 digits. These aren’t difficult problems to solve. The bigger issue is that they’re not revenue generating solutions, but rather the opposite.
Captcha's, rate limiting, slight changes to the way you interact such as changing words, changing positions, etc.
This is a solved problem, but these things create friction for the user. And friction is the opposite of what modern tech says you want to provide to your user.
Get them to endlessly scroll, comment thoughtlessly.
there isn't one. but that's irrelevant because the services that require your phone number don't do it for the sake of security or to combat bots, they do it to gather data. when you give a megacorp your phone number, they get your real name, your relationships, and a myriad data points to sell.
this is the reason why all megacorp mobile apps and every other free flashlight/calculator/alarm app require access to your contact list.
>but that's irrelevant because the services that require your phone number don't do it for the sake of security or to combat bots
Discord allows you to enable phone number verification at a per-admin level basis; and it is done to reduce spam and bots. You can't just pretend the problem doesn't exist.
I don't mean to suggest the burden is on you to provide one, but what alternative even comes close to requiring a phone number for account creation... perhaps a credit card authorization?
That seems like gross negligence to me no matter what the reason for that is, but I play in a much smaller pond and maybe I just don't understand that the cost to do things ethically at scale is always greater than cleanup.