Report: Twitter’s Security Problems Were Self-Inflicted

Posted on July 27, 2020 by Paul Thurrott in Social with 4 Comments

Twitter Talks Up Its Move to PWA

A Bloomberg report claims that employees warned Twitter about security issues at the service for at least five years to no avail. And when the service was recently hacked, those employees were not surprised.

The report cites four former Twitter employees and several contractors.

According to the report, there are over 1,500 people who reset Twitter accounts, review security breaches, and respond to content violations, and only some of them actually work for the social networking service. Worse, there are multiple reported instances in which contractors accessed the personal data of celebrities and other Twitter users, including their email addresses and phone numbers.

Employees began warning Twitter CEO Jack Dorsey about these breaches as long ago as 2015, and continued right up until earlier this month when dozens of high-profile Twitter accounts were hijacked a as part of a Bitcoin-based scheme. And it was Twitter’s lax control over the people who can access sensitive user data that led to the success of the attack.

Twitter denies the charges.

“We have no indication that the partners we work with on customer service and account management played a part [in the attack],” a Twitter statement claims. That said, Mr. Dorsey told investors that Twitter could have done more. “We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools,” he admitted.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (4)

4 responses to “Report: Twitter’s Security Problems Were Self-Inflicted”

  1. eric_rasmussen

    This is normal. Security is always a nice-to-have feature in most tech companies, meaning that it's never given priority over other tasks. That is, until there's a data breach. Then it's suddenly the most important feature, security is slapped together haphazardly, and then everyone is happy that they dealt with the emergency successfully. Until the next breach hits.


    I've been through this cycle a half-dozen times. Nobody likes to make security a priority because it's difficult to do correctly and it often puts barricades in the way of shipping out feature updates as fast as possible. Companies make money by selling features, not by implementing security, so it's seen as a waste of money by those who don't fully understand what can happen in a breach.


    I do make security first for my own company and I try to think ahead about how I will be attacked, but I also realize that I'm not a security expert. During development I always use an external service to periodically audit our platform for vulnerabilities. The recommendations that come back have saved me more than once, and the ways they find to break in are sometimes pretty astonishing. The more I use them, the more I realize that most companies don't and therefore all of our data is likely out in the wild already.

  2. proftheory

    Now if only they were using LastPass Enterprise they could have cut off all those that didn't need to have access.

  3. mattbg

    Thumbs up to Romesh Ranganathan on the Twitter megaphone :)


    Given the potential impact, it almost seems like the user data part of these companies should be regulated as with financial institutions where, for example, people do get fired for "accessing account information that they had no business reason to access", with all affected customers notified.


    Problem is, I have trouble expecting anything from a company that is providing a service to me that I'm not paying for.

  4. stevem

    Great to see the British comedian Romesh Ranganathan be featured in the photo.

Leave a Reply