Twitter contractors allowed to snoop on user accounts, report says

In an article detailing this month's massive Twitter Bitcoin scam, Bloomberg said contractors were allowed broad access to user accounts.
A sign attached to Twitter’s global headquarters is viewed from a sidewalk on Market Street in San Francisco, California. June 18, 2014. (Photo: Matthew Keys/The Desk/Creative Commons)

Security contractors hired by Twitter had broad access to user accounts and often snooped on celebrities and other individuals with large followings, according to a report.

On Monday, Bloomberg published a lengthy piece detailing security woes at the social media company in the wake of a massive Bitcoin-focused compromise that saw thousands of verified user accounts frozen for several hours while Twitter’s in-house security team worked to sort through the mess.

Turns out, according to Bloomberg, Twitter has known about its security lapses for years — and often moved slowly to address them.

Twitter employees raised flags about the company’s security lapses involving user accounts since at least 2015 and every year thereafter, Bloomberg said. Those concerns were deferred in favor of other security initiatives, the report said.

Contractors, including some who worked with Twitter’s preferred security agency Cognizant Technology Solutions, were proficient at snooping on user accounts and had broad access to powerful tools that allowed them to read personal details like email addresses and phone numbers associated with accounts.

Those details appear limited on first glance, but Bloomberg said it gave malicious insiders enough information that could eventually lead to a compromised account where publishing fraudulent tweets and reading intimate direct messages were more than possible.

Contract employees, including those who worked for Cognizant, were routinely fired when it was discovered they overstepped their authority in providing support to Twitter and its users. The intrusions were so common that Twitter’s internal team had difficulty tracking them, Bloomberg said, and it became even more difficult when Cognizant employees and other contractors started creating bogus support tickets in an attempt to legitimize their fraudulent access.

Security at Twitter has come sharply into focus since the company was targeted by a handful of renegade hackers who compromised the accounts of more than 100 high-profile individuals, robbing people of tens of thousands of dollars in Bitcoin in the process.

Former employees told Bloomberg that Twitter’s chief executive Jack Dorsey and other members of Twitter’s board have been warned for years about security defects at the social media company — and passed at the chance to take a proactive position on the matter.

Now, Dorsey finds himself on the defensive side, the leader of a publicly-traded company whose lackluster security protocols made it the embarrassment of the digital media world — if only for a day.

“Last week was a really tough week for all of us at Twitter,” Dorsey said on a recent conference call with investors. “We fell behind both in our protection duties and restrictions on our internal tools, and for that I apologize.”

Twitter is now working with federal law enforcement authorities to investigate precisely what happened and who was responsible for this month’s breach.

Thanks for reading and supporting The Desk. If you have a question, comment or news tip, send a message by email or text, or connect on Facebook, Twitter or LinkedIn.

Also, check out our new membership service The Desk: Pro Access for exclusive reporting, news scoops and in-depth analysis.