On Thursday last week, Twitter sent out a press release stating that all 330 million users of its service should change their password based upon the fact that a system error had made them readable text in an internal computer system, as opposed to randomised data through a process called hashing.
Now, on one hand we should admire them for being so proactive and coming forward to let us know that we should take this preventative action. However, as an security industry specialist, I still have some very real and major concerns with the announcement, and some deeply disturbing unanswered questions. For example:
- How did the breach get found in the first place? I find it implausible that this was just discovered through a routine inspection, and more likely that they were alerted by an external party
- How could it possibly affect all 300 million users? Typically when a. company tells all of its users to change their password, it implies they have no idea of who might have got into their systems
- Twitter state – in an unattributed blog – that they are “very sorry”, yet they have form on this – the US Federal Trade Commission settled with Twitter over a past 2010 breach, after which audits were meant to occur for ten years. If it was one of these audits that found the breach, then why aren’t the US Federal Trade Commission making comment yet?
- The timing of the announcement is also telling. Were they forced to alert their users now in advance of the GDPR timeline (May 25th), and thus remove the potential of penalties if someone becomes aware of a causal link to a privacy breach that has its roots in the Twitter data loss.
But perhaps most of all, I am annoyed by yet another service provider (and yes, I know their service is free, and so my expectations shouldn’t be so high) not really taking responsibility for my credentials, and then downplaying the impact as their business is not really that affected. Organisations suffering a breach never consider the impact of a breach from their user’s perspective, and the fact that they’ve compromised a ‘duty of care’…..they fall back behind their always ridiculously verbose Terms of Service, and try to push a message that there is “nothing to see here…move on please”.
And finally, how are they positively informing all of their 330 million users – surely it would be a simple task for the world’s biggest messaging platform to send out a message to everyone on its list that they should change their password?…..but perhaps this might open them up to more questions from their community?
See what Reuters has to say here.