Twitter is in an unprecedented era of uncertainty. When security professionals face uncertainty, we plan for the worst.
In the case of Twitter, one worst-case scenario is that if and when the platform goes away, your information – including sensitive direct messages, and personal information such as your name, location, phone number, and birthdate, among others – could disappear or fall into the hands of those who you never intended to have it.
And while people’s first thought about this risk might be “who cares, isn’t Twitter all public anyway”, there is in fact a lot of information you should be concerned about protecting. First, there’s any personal information you have stored with the service (like phone number, birthdate). Second and more importantly, many people have been using Twitter Direct Messages for important and sensitive information exchange. Organizations that have used Twitter for customer service in particular should be concerned about what information is present in Direct Messages and what could happen if that falls into unexpected hands.
Here are three things you should do right away to better protect yourself and your information:
- Download a Copy of Your Data
If Twitter were to disappear tomorrow, the data that is stored there would disappear with it. This is the reality of all cloud-based services. If you are not okay with losing your data entirely, download a copy of it for yourself. This is the only way to ensure that your data isn’t lost forever if Twitter is.
- Remove All Personal and Sensitive Information
Next, remove all sensitive and personal information. A simple rule of thumb to follow: if you’re not okay with your information becoming completely public on the Internet, remove it. This means going in and removing information like your date of birth, phone number, payment information, and geographic location information among other personal data. Consider not just the risk of the information itself, but the risk that it could be used in combination with other information that’s available from other public sources or data leaks.
Pay particular attention to your Direct Messages. While most people think of Twitter as a “public” platform, they often forget about Direct Messages, which people often wrongly treated as a secured private messaging system. It’s actually not secured or private, however, people often use it for sensitive conversations they wouldn’t want to be public. Be warned though: if you delete a Direct Message, you’ve only deleted your copy of it; any other parties in the conversation may have their own copies of the message. If you want to be thorough, you should not only delete your Direct Messages but ask those in the conversations to delete their copies as well.
- Secure Your Account
If you have no plans to be active on Twitter, disable your account. Do not delete your account: that can enable someone to take over your Twitter handle after you’re gone and potentially impersonate you.
If you plan to remain active on Twitter, ensure that you’re using a unique and complex password. You should enable multi-factor authentication using an app or security key; do not use SMS-based two-factor authentication as that would require you to store your phone number, which is a risk. Disconnect any apps that are connected to your Twitter account and log out of any other sessions. You should also consider locking your account, which will give you the ability to control who can see your posts and interact with you.
Whether you continue to stay active on Twitter or not, these are steps that everyone with a Twitter account should take immediately. Following these steps can help protect against possible worst-case scenarios. And with the level of uncertainty, it’s better to take these steps now than later.
By Christopher Budd, Senior Threat Research Manager at Sophos
