Twitter suspects state-sponsored ties to support forum breach

One of Twitter’s support forums was hit by a data breach that may have ties to a state-sponsored attack, however users' personal data was exposed.

The support forum is dedicated to account holders who are having issues with their account and need to contact Twitter.

Twitter began working on a fix for the breach on November 15 and was promptly fixed by November 16. The breach allowed the attackers to discover the country code of Twitter users’ phone numbers - if a number was associated with their account.  

Attackers could also find out if users’ accounts had been locked by Twitter. Twitter does this when an account appears to violate the company’s rules or terms of service.

“Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter states.

The company also says it has been investigating where the attack came from and its background so users are well informed.

“During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors.”

The company says it remains committed to full transparency and it has notified law enforcement about its research. Its biannual Twitter Transparency Report published trends in a number of areas, including platform manipulation, information requests, email privacy, and removal requests.

“No action is required by account holders and we have resolved the issue,” Twitter writes.

The company has also set up a data protection inquiry form for users who have questions or concerns. The form provides a secure form for users to contact Twitter’s data protection officer, Damien Kieran. 

This is not the first time Twitter has been caught up in a data breach – although most of them were its own fault.

In May 2018, a bug exposed Twitter users’ passwords that were stored in plain text in an internal log. The company encouraged all Twitter users to change their passwords.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” CTO Parag Agrawal wrote in May. 

Just four months later, Twitter’s Account Activity API allowed third party developers to accidentally expose user activity data including direct messages and protected tweets. The bug affected less than 1% of Twitter users, however it remained at large for more than a year from May 2017 to September 2018.

Twitter apologises for the latest breach.

“We recognise and appreciate the trust you place in us, and are committed to earning that trust every day. We are sorry this happened.”