More details about the security profile of Twitter are emerging
Of note, the internal tools that can change user account settings and hand control over to others were accessible by over 1,000 employees.
Over 1,500 employees have access to reset accounts, review user breaches, and respond to content violations. Bloomberg is reporting that the controls were QUOTE “so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses”
And, the company had been warned about security issues for at least five years.
Why do we care?
The key lesson to the breach by attackers at Twitter is that it was a failure of security policy. This wasn’t a technology problem – this was a policy one.
Providers should be thinking about this. Each manage a number of systems which have complete and total control over their customers. Can one employee go rogue? Do you have workflows and multi-level approvals? Is auditing setup correctly?
And this isn’t a set it once and forget it solution – you will have to monitor and manage this on an ongoing basis.
Trust, but verify… or perhaps, trust no one completely.
Source: Business Insider