Twitter Responds to Privacy Breach by Telling Users Not to Register Their Regular Phone Numbers

Big Tech tends to offer predictably dumb solutions to major security weaknesses because the solution which requires least intelligence and expenditure from them is the one which will predictably increase the burden for the rest of us. This tendency has always been evident.

  • Let people obtain online access to important services that are only secured with a password! But what if your lax security means all those passwords are compromised by hackers? Then make the user adopt a second factor for authentication to compensate for the weakness of the first factor!
  • The second factor should be a one time password sent by SMS to the user’s phone! But SMS was never intended to be a secure method of communicating sensitive information, and a policy of routinely sending this information to phones just means hackers will start taking over phone accounts to intercept the passwords. Yeah, but SMS messages are cheap and the phone companies will get the blame for transferring control of the account!
  • Oops! Now we allowed the phone numbers of all our users to get hacked. What should we do? Perhaps the solution involves spending more on security so you are not hacked so often. Nah, we have a better idea: tell customers they should have a second phone which they only use to register for our service!

The direction of travel for this idiotic thought process is obvious when mapped out like this. If we continue down the same path we can all look forward to using a third and fourth factor of authentication for every service, in concert with the third and fourth phone lines we purchased solely for use with multi-factor authentication. You may think I am exaggerating. If so, then read the following advice from Twitter.

To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Normal people do not have a second phone number that is different to their ‘publicly known’ phone number. Normal people just have phones they use for making and receiving calls to and from everybody and anybody. And Twitter actively pushes users to register a phone number with them, supposedly to make their account more secure. Telling people they should register for Twitter using a phone number that is not ‘publicly known’ is essentially the same as demanding users have multiple phones because they should anticipate that Twitter will be hacked and the phone numbers added for ‘security’ will inevitably be compromised.

This incredible advice from Twitter came in response to a recent data breach. In July a hacker using the name ‘devil’ posted to a forum an offer to sell data from 5.4 million Twitter accounts in exchange for USD30,000, as first reported by Restore Privacy. Twitter have few excuses for permitting the breach, as the vulnerability exploited by the hacker was previously notified to them. A user with the alias of ‘zhirinovskiy’ notified Twitter of the vulnerability via the HackerOne platform and was awarded a bounty of USD5,040 on January 12.

Restore Privacy broke the story on July 21 but it was only on August 5 that Twitter publicly admitted they had been hacked. Their announcement confirms the hacker had exploited the same vulnerability as that identified by zhirinovskiy. Twitter claim they fixed the vulnerability as soon as they learned of it from zhirinovskiy, but we only have their word for that. Twitter’s management had increased reason to cover up their failings because of the poisonous public fight with Elon Musk over his withdrawn bid to purchase their company. The wording of their announcement suggests they would not have made any public announcement if they were able to contact all the affected account holders privately.

We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.

Twitter’s advice about phone numbers is phrased as if it is only relevant to pseudonymous users who have not associated a real-life identity with their account. Some of them may not choose to share their real identity because they use Twitter to make communications which are illegal in their country, such as criticizing government oppression. Twitter’s management team will know which accounts were compromised and they may be conscious that their failings have put lives in danger. Risks like these should not be underestimated. Many years ago I witnessed the extreme reactions contemplated by some senior decision makers just because a pseudonymous Twitter user compared the Emir of Qatar to a pig. Cooler heads prevailed on that occasion but people in power do not like to be mocked and there will always be some who will want to know the origin of criticism and insults so they can exercise retribution. A meaningless Twitter handle may leave authoritarians frustrated, whilst disclosing the user’s phone number will sometimes be the same as passing a death sentence.

Whilst Twitter couched their advice as if it only relates to pseudonymous users, the truth is that the message is the same for all of us: if you give Twitter your phone number, then you put yourself at risk because that phone number will be compromised during a data breach. Instead of consciously accepting responsibility for safeguarding our personal data, Twitter’s management have twisted reality so that they feel we are responsible for risking our personal data when we choose to give Twitter the information they keep asking for. And if we are going to take that risk, then Twitter’s advice is to mitigate the risk by giving them a phone number that nobody will be able to associate with us, which will sound like make-believe to all those people who live under oppressive regimes that require them to register their identity to obtain a phone and which have implemented surveillance systems which could monitor the movements of any phone, whether registered or not.

So please ponder Twitter’s advice and then draw a more meaningful, and less contradictory conclusion than they ever will. If you want to use Twitter, accept that your personal data will be obtained by criminals and spies before long. If you worry about coming to harm then give Twitter the least amount of data you can, because they are effectively telling you that they cannot be trusted with it. And if you wanted to be really safe, you should have never registered for a Twitter account in the first place.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.