Twitter says some business users had their private data exposed

Flip the “days since the last Twitter security incident” back to zero.

Twitter said Tuesday that it has emailed its business customers, such as those who advertise on the site, to warn that their information may have been compromised in a security lapse.

The social network giant said that business users’ billing information was inadvertently stored in the browser’s cache, and it was “possible” that others, such as those who share computers, could have accessed it.

That data includes the business users’ email addresses, phone numbers and the last four-digits of their credit card number associated with the account.

Twitter told users that it first became aware of the problem on May 20, a month after Twitter disclosed a similar bug that improperly stored Twitter user data, such as direct messages, in Firefox’s browser cache.

BBC News was first to report the news.

Twitter spokesperson Laura Pacas confirmed the incident to TechCrunch, but declined to disclose the number of people affected.

“We became aware of an incident where if you viewed your billing information on ads.twitter.com or analytics.twitter.com the billing information may have been stored in the browser’s cache,” the spokesperson said. “As soon as we discovered this was happening, we resolved the issue and communicated to potentially impacted clients to make sure they were aware and informed on how to protect themselves moving forward.”

It’s the latest security incident in recent years.

Last year alone, Twitter closed a bug that allowed a researcher to discover phone numbers associated with millions of Twitter accounts; admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared; and inadvertently gave its ad partners more data than it should have. Twitter last year also said it used phone numbers provided by users for two-factor authentication for serving targeted ads.

In 2018, Twitter admitted it stored user passwords in plaintext, and warned its millions of users to reset their passwords.