Twitter contractors in charge of monitoring account security and fraud improperly accessed data from the accounts of celebrities, including Beyoncé,SA TIMES reported this week.
Former employees said Twitter’s internal controls were so lax that contractors were able to see users’ phone numbers, email addresses, and approximate locations by creating fake help desk requests, according to Bloomberg.
Twitter’s security practices have come under intense scrutiny following a major hack of 130 prominent people and companies including Barack Obama, Joe Biden, Jeff Bezos, Elon Musk, Kanye West, Apple and Uber.
More than 1,000 employees and contractors had access to the internal tool at the core of the hack.
Twitter’s lax internal policies allowed members of its security team to access the personal information of celebrity users, including Beyoncé, without their permission, SA TIMES reported this week.
The security team, which is made up of 1,500 employees and contractors, has internal tools that allow it to see users’ phone numbers, email addresses, and approximate location data in order to monitor accounts for fraud and content violations, the report said.
But widespread access to the tools and lenient rules around their use led some contractors to challenge each other to spy on celebrity accounts by submitting fake help desk tickets, former employees told Bloomberg.
Cognizant, the company that employed some of the contractors mentioned, did not immediately respond to Business Insider’s request for comment.
In an email to SA TIMES, a Twitter spokesperson said the company does not tolerate the misuse of internal tools, and that doing so could result in termination, but declined to comment on the specific cases reported by Bloomberg.
The degree of access and control employees and contractors granted has come under scrutiny in recent weeks after hackers gained control of internal tools and hijacked the accounts of 130 high-profile individuals and companies, allowing them to perpetuate a Bitcoin scam that likely netted them at least $120,000 (around R2 million).
Twitter said the incident was the result of a “coordinated social engineering attack” – a technique that involves manipulating victims in order to obtain information about an organisation – that allowed the hackers to gain access to internal tools only available to Twitter’s support teams.
With that tool, hackers were able to see users’ personal information, including phone numbers, email addresses, and in some cases, private messages, Twitter said in a blog post detailing what happened.
Last week, SA TIMES reported that more than 1,000 Twitter employees and contract workers had access to that same tool, making it difficult for the company to guard against hacks like this one.
Employees have raised similar concerns around Twitter’s internal security measures on multiple occasions since at least 2015, including to its board of directors, but fixes were put on the back burner in order to prioritise engineering projects focused on making the company more money, according to Bloomberg.