Weekly Threat Report - 11th October 2019
Twitter apologises following misuse of user details
The ‘unintentional’ use of user email addresses and phone numbers for targeted advertising has prompted an apology from Twitter.
Twitter has confirmed that third party advertisers could have targeted certain users using these details, which have been provided for security purposes, without the user’s permission. A statement from Twitter revealed they could not determine how many users had been affected.
To create a Twitter account, users must provide a valid email address and phone number to set up an account, and these do help with account security. However, Twitter disables accounts without phone numbers even if that user isn’t using a phone number-reliant form of two-factor authentication (2FA) protection (such as a verification code sent in a text message).
2FA provides a way of 'double checking' that you really are the person you are claiming to be when you're using online services, such as banking, email or, in this case, social media.
There are better forms of 2FA than the SMS-based approach, such as authenticator apps and back-up codes, but any 2FA is much better than no 2FA at all.
You can read more about setting up 2FA in our guidance. We would also recommend reading this report from Alex Weinert of Microsoft which explains how 2FA will protect users from the majority of cyber attacks.
The NCSC also has advice aimed at individuals and families about using social media safely and securely.
Thousands of retailers affected by hack
Retailers, including the official Sesame Street store, have been targeted by a hack that can steal credit card details.
At the time of writing Volusion, who provide thousands of companies with shopping cart software, had not responded to the reports or acted on the issue.
Users who may be worried about their credit card details following these reports can follow similar advice issued by the NCSC when Ticketmaster UK were affected by malicious software on a product hosted by a third-party supplier.