More privacy concerns hit Twitter

User privacy on Twitter has returned to the headlines following two patches that the social media platform had to implement to address glitches in its security systems.

News broke earlier this week that an IT bug was being exploited by hackers, putting county codes of account phone numbers at risk. The nefarious activity had been traced to IP addresses in China and Saudi Arabia.

The reports came after similarly serious revelations regarding a glitch that enabled several applications to read account holders’ direct messages (DMs).

Twitter, like all other social media platforms, has come under intense pressure to issue safeguards for the ways in which it collects and handles private data. Scrutiny has only intensified by hiccups that fall short of data security standards as laid out by the General Data Protection Regulation (GDPR) which came into effect on May 25th 2018.

At the end of the summer, a problem came to light regarding technology that allowed software developers to read users DMs, while prior to this, news broke of another IT botch which caused account passwords to be stored in plain text.

Speaking to Threatpost, researcher Terence Eden, who reported one of Twitter’s IT glitches, said:

“GDPR means that companies are finally starting to take user privacy seriously. The complexity of social apps – and the large amount of legacy code / endpoints – means there are often unexpected ways that your personal data gets leaked.”

During investigations into the bug that exposed county codes of users’ phone numbers, Twitter engineers noticed suspicious activity regarding the customer support form API.

In a statement, Twitter said:

“Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Twitter has since said that the issue was resolved last month.

“Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter said.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.