Security News
Get Total AV Login

Twitter may have leaked your private messages

A reminder that “private” might not always mean what you think it does.

Published by John Opdenakker
Friday evening when I opened the Twitter app on my phone I got the following notification.
This sounds pretty bad. When I read this message, I concluded that DMs or protected tweets might have been sent to the developers that work for Twitter. And this has been possible for more than a year. But this message is a bit misleading.


What did actually happen?

More info about the potential data leak can be found here. The bug mentioned in the notification was in the Twitter API that can be used by registered developers. So we’re not talking here about developers working for Twitter, but everyone with a developer account registered via Twitter’s development platform
These accounts are used to “build tools to better support businesses and their communications with customers on Twitter”. So if you interacted with a person or a company on Twitter that used the affected API, these interactions might be sent to another registered developer. 

This means the potential impact is even bigger than initially thought. But if we may believe Twitter it only happens in exceptional cases: “A complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source”.
They also say that only 1% of users, are affected. But on a total of 335 million users (in Q2 2018), this still means more than 3 million impacted users.


What can you do?

Unfortunately, not all details are known yet, but because the problem originated from a bug in one of Twitter’s APIs there is not much you can do to safeguard your data. Twitter asked registered developers to delete information that is not intended for them. But of course there are no guarantees that they will effectively obey this request. 

At this moment there is no need to panic. There is no proof that the leaked data is being abused. However, if you exchanged Personal Identifiable Information via DM between May 2017 and 10 September 2018, you could consider to change it, if possible.

What we should learn from this incident is that we need to be aware of the risks associated with online chat and think very consciously about what information we share through this medium. Twitter calls its DMs “private messages”, which gives people a false sense of trust. DMs can’t be considered private or confidential, because Twitter doesn’t implement end-to-end encryption. This means that you can’t be sure that no one else but you and the user(s) you communicate with can read the messages.

For this reason you shouldn’t send sensitive personal data via twitter or any other unencrypted chat. If you really want a private communication channel use end-to-end encrypted communication apps like Signal, Whatsapp…