searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
October 9, 2019
Share

Twitter 2FA phone numbers “inadvertently” used for advertising purposes

Twitter’s Support account published the following announcement on Tuesday:

We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://t.co/bBLQHwDHeQ

— Twitter Support (@TwitterSupport) October 8, 2019

Then, in the linked post, they proceeded not to give a lot of clarity.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” the company said.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware.”

Was it just one advertiser or more of them? Does this mean that the advertiser(s) gets to “keep” this information? If it doesn’t, how can Twitter be sure that the information is unmatched/scrubbed? Twitter says this was done in error – how is that possible? What guarantees do users have it won’t happen again? Which users’ information was affected by this error? Should anyone who has entered their phone number or email address to set up 2FA assume their info has been shared? How long was this going on?

They couldn’t have been more vague than they were.

Disgruntled users doubt it was an error

The announcement has spurred many users to comment, the majority of which have made it clear that they don’t believe the “error” happened “unintentionally”.

Cryptography professor and vocal security advocate Matthew Green linked Twitter’s “error” to Facebook’s 2018 decision to use the phone numbers users provided for 2-factor authentication (2FA) to spam users with ads. He also posited that, based on the blowback from this move, Twitter will decide whether or not to go ahead with using 2FA numbers “for all its product priorities.”

EFF’s Director of Cybersecurity Eva Galperin lamented that “kind of behavior undermines people’s willingness to use 2FA and makes them less secure in the long run.”

Twitter requires users to share their phone number if they want to enable 2FA on their accounts, whether they opt for SMS-based delivery of the second token, software-based TOTP apps (e.g., Google Authenticator), or a physical security key.

The latter two options should not require Twitter to know the user’s phone number but, nevertheless, Twitter insists upon it: if you remove the phone number from your account, the company immediately switches off 2FA (or, as they call it, login verification).

Although the flaws of SMS-based 2FA are known and increasingly being exploited by attackers via social engineering and weaknesses in the SS7 telephony signaling protocols, any form of multi-factor authentication (MFA) takes users out of reach of most attacks, so any option is better than using just a password.

Too many users are still not convinced about 2FA’s advantages or are not tech-savvy enough to use it, so it is unfortunate that companies such as Facebook and Twitter are not doing more to prevent “errors” such as these from happening and undermining the currently limited willingness to implement 2FA.

More about
  • account protection
  • MFA
  • Twitter
Share this

Featured news

  • Critical zero-day vulnerability in MOVEit Transfer exploited by attackers!
  • Threat actors can exfiltrate data from Google Drive without leaving a trace
  • Zyxel firewalls under attack by Mirai-like botnet
Spin Up A CIS Hardened Image

Sponsored

The best defense against cyber threats for lean security teams

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

Don't miss

Critical zero-day vulnerability in MOVEit Transfer exploited by attackers!

Threat actors can exfiltrate data from Google Drive without leaving a trace

Zyxel firewalls under attack by Mirai-like botnet

Why organizations should adopt a cloud cybersecurity framework

Navigating cybersecurity in the age of remote work

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us