Hacker News new | past | comments | ask | show | jobs | submit login

So after forcing users to enter a phone number to continue using twitter, despite twitter having no need to know the users phone number, they then leak the phone numbers and associated accounts. Great.

But it gets worse... After being told of the leak in January, rather than disclosing the fact millions of users data had been open for anyone who looked, they quietly fixed it and hoped nobody else had found it.

It was only when the press started to notice they finally disclosed the leak.

That isn't just one bug causing a security leak - it's a chain of bad decisions and bad security culture, and if anything should attract government fines for lax data security, this is it.




The whole announcement reeks of "Stop hitting yourself!"

What scum. They had lots of chances to fix this, the first one being not collecting phone numbers in the first place. They chose to do that, and then they didn't adequately protect it, and now they're oh so very surprised that someone might be doxing their most vulnerable users.

If anyone is harmed by this, Twitter should be held liable.


didn't actually not just protect the phone numbers. They actively used it illegally to market services outside of the purpose for which the numbers were gathered

https://www.theverge.com/2022/5/25/23141968/ftc-doj-twitter-...


It's not just Twitter. It happens every few months. The problem is centralized sites having "real name policies", requiring you to put your phone number and other crap: https://qbix.com/blog/2021/01/25/no-way-to-prevent-this-says...


I know the answer is money in politics, SV culture, etc. But it's near certainty twitter will continue as they do in and 2 weeks everyone will move on.

Maybe they get a small boo-boo in the form of a symbolic fine, mangers scramble for a bit, and then the whole thing happens again and again.

Why is this?


Because twitter users care more about the convince twitter provides than they do about the risks their privacy and security as a result of using twitter. I suspect most have no idea what the risks are or have some very limited idea of some of them. Maybe if they had a better understanding of the risks they'd close their accounts and move to something new, but I doubt there be enough of them to cause twitter to invest in securing the unnecessary amounts of data they collect.

This sort of thing will only be fixed when we hold companies accountable for failing to protect customer data through regulation with many rows of sharp teeth.


>Why is this?

Because non-twitter users don't give a fuck. And also, twitter users don't give a fuck.


Twitter is vulnerable, most vulnerable of the big social media sites it seems. The Musk deal has fallen through, and it seems like Musk was not the only one to lose confidence in Twitter. It could easily go the way of Myspace. How many users does Myspace have these days? Active users


Discord is also like this and it drives me nuts.


They also refuse voip numbers. I am now at 20 back and forth emails with Discord support explaining I do not own a cell phone. They are seriously suggesting I buy one just to use Discord.


Yeah. I used to live in a semi-rural area with no mobile phone coverage, and the insane level of disbelief from places when you tell them "I have no mobile phone" was a real problem. Including banks, and other utilities. :(


Maybe there needs to be some sort of law that prohibits this sort of thing.

In the meantime, Discord has been added to my "do not recommend" list.


Perhaps if you paid for discord. I happily pay for nitro because I see value in supporting discord. Still had to give them my number despite already paying them. I'd be happy about that sort of regulation.


I usually don't do ads, however there is a tool called SMS pva where you can rent phone numbers specific for services for a one time confirmation. You usually get a working one on first try.

I can't even count how many companies suggested that I should 'just get a phone number' to use their service.


I've seriously considered buying burner phones like a goddamn drug dealer for bullshit like this.


Cell phone numbers require KYC in almost all countries so they put people that require anonymity at risk.


Burn phone as a service.


Requiring a phone number is part of fraud & spam prevention. Maybe you'd make a different tradeoff but that's not "no reason."


> The FTC says Twitter induced people to provide their phone numbers and email addresses by claiming that the company’s purpose was, for example, to “Safeguard your account.

> ...

> But according to the FTC, much more was going on behind the scenes. In fact, in addition to using people’s phone numbers and email addresses for the protective purposes the company claimed, Twitter also used the information to serve people targeted ads – ads that enriched Twitter by the multi-millions.

source: https://www.ftc.gov/business-guidance/blog/2022/05/twitter-p...

So you're right, it wasn't for "no reason", but it also wasn't just for fraud and spam prevention, security, or any of the other lies Twitter told users.


Exactly. I don't have an issue with this if I know they're not using it to farm shit off of me.

But then again, they wouldn't make much money otherwise.


it adds a small cost to creating sockpoppets but it adds much larger value in having personal data for targeted ads

like my sibling said, twitter was dishonest to their users how the phone number was to be used

if it's just to prevent bot signups, why keep it on file at all?


They no longer use it for ads, so the value now is just fraud and security.

> if it's just to prevent bot signups, why keep it on file at all?

I mean, you need the actual number for 2FA. I guess maybe you could hash it after some amount of time just for blocking bots? You couldn't just discard it or one number could create unlimited bots.


Multiple companies have been caught using information for ads that they said they wouldn't, and Twitter have already proven that they're not trust worthy


They might use it in ranking posts presented to you. Or deciding where yours rank.

There’s more to sorting than just ads, security and fraud.


As someone that chooses not to own a cell phone, I am often written off as collateral damage in this type of thinking.


I pay about $0.2 for a working phone number instantly via API. Or pennies for packs of aged accounts. Do you actually think that stops anything?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: