A Bloomberg Report Says That Twitter Has Struggled for Years to Control Internal Access to High-Profile Accounts bloomberg.com

Jordan Robertson, Bloomberg:

Twitter’s oversight over the 1,500 workers who reset accounts, review user breaches and respond to potential content violations for the service’s 186 million daily users have been a source of recurring concern, the employees said. The breadth of personal data most of those workers could access is relatively limited — including such things as Internet Protocol addresses, email addresses and phone numbers — but it’s a starting point to snoop on or even hack an account, they said.

The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses, two of the former employees said.

If you recognize the byline on this article, it might be because Robertson is one of the two reporters credited for Bloomberg’s as-yet uncorroborated 2018 report about Chinese interception of server hardware. I don’t normally have a problem with Bloomberg’s articles, its use of anonymous sources, or any specific nit to pick in this piece. But it must be read with the knowledge that its author also wrote a high-profile information security story that, nearly two years later, has not been expanded upon by Bloomberg, corroborated by another publication, or commented upon by its reporters.

For the sake of this post, I am assuming Robertson’s sources at Twitter are reliable and that he is conveying this information accurately, but it would be so much easier to read stories like this if someone — anyone — would explain what the hell happened with that “Big Hack” story.

A couple of years ago, Deepa Seetharaman reported for the Wall Street Journal about Facebook’s unfair implementation of employee access:

Facebook alerts users if they’ve been hacked by outsiders but doesn’t inform them about employees’ access. “Anyone can get alerts about unrecognized logins from other users and check for suspicious activity.” the FB spokesman said.

The ability to log into Facebook as a user without needing that person’s password is limited to a small group of security personnel and other employees. Their actions are closely monitored, current and former employees say.

[…]

Employees, though, are always notified when Facebook engineers access their accounts, even when the company is investigating a possible crime or wrongdoing, the person said.

Twitter will also show new and unrecognized logins on the Notifications page and send the user an email. I cannot think of a good reason why a similar notification should not be displayed when an engineer accesses private information in a user’s account — with the exception of criminal investigations when Twitter or Facebook would be prohibited from doing so. Ideally, employees should have to get some sort of confirmation from a user before their account is able to be accessed.