It's time. Delete your Twitter DMs

Twitter is in chaos.

The company has kicked out thousands of its engineers (as well as thousands of the contractors responsible for battling misinformation and harmful content.)

Meanwhile Twitter’s CISO and head of Trust & Safety both quit, both the chief privacy and compliance officers suddenly departed, alongside other top executives inside the company.

And what’s Twitter’s new owner doing?

Elon Musk is scaring off advertisers with his bizarre behaviour, as decisions he made allowed pranksters to impersonate big brands and post tweets that did untold damage to business’s reputation and erased billions of dollars from their market cap.

We talked about some of the problems at Twitter a couple of weeks ago, on the “Smashimg Security” podcast. Little did we know that things were going to go from bad to worse.

The latest screw-up at Twitter? An ill-considered intiative by Musk to rid Twitter of “bloatware” seemingly accidentally locked some users out the site for a while, as SMS-based two-factor authentication was accidentally disabled.

It sounds like someone was ordered to rip some code out of Twitter, and they simply didn’t understand the complexity of Twitter’s system – the gazillions of dependencies and consequences that just making one change can have on other parts of the site.

The only people likely to understand those links and dependencies between Twitter’s systems, and raise a warning of possible consequences, are most likely people that Twitter has already fired. If they even were still employed by the company, chances are that Twitter’s new boss wouldn’t listen to them.

EmailSign up to our newsletter
Security news, advice, and tips.

So, what does this mean for you if you’re a Twitter user? Well, I’m a Twitter user… and I find it worrying.

Because although most of what I do on Twitter is public, I have also had plenty private direct message (DM) conversations in the almost 15 years I’ve been a user on the site.

I can’t remember everything I’ve said in those conversations, or what people may have said back to me.

If Twitter is careless enough to break how 2FA works for some of its users a few days ago, what mistake might they make next? If Twitter’s security experts have either been fired, have quit, or – presumably – are wondering where they should go next, then just how safe is my data on Twitter?

It may be a remote possibility that Twitter will have a monumental security screw-up or suffer a hack that it simply doesn’t have the expertise to protect against, but it is a possibility. And it’s a possibility that seems more probable today than before Elon Musk bought the company.

There’s not anything I can do to make a chaotic Twitter safer. But I can reduce the potential risk to me, by deleting my DMs.

Delete dm conversation

I don’t need all those old DM conversations, they can be erased. They should be erased.

It’s a laborious process (Twitter doesn’t give you an automated way of doing it), but I’d rather delete them one-by-one than one day find that they are in the hands of a hacker or a disgruntled Twitter employee who goes rogue.

PS. You know what’s really galling? Erasing your Twitter DMs doesn’t actually stop Twitter from keeping a copy of your private messages unbeknownst to you, even if you one day completely close your account.

Some final thoughts:

  1. Encourage your Twitter buddies to delete their DMs too, so “both sides” of the conversation are wiped.
  2. Even if Twitter doesn’t delete them behind-the-scenes, if *your* account is breached the messages shouldn’t be readily accessible by a hacker.
  3. If Twitter keeps your private messages even after you have requested they are deleted, is that potentially a (costly) GDPR violation?
  4. If you want to keep a permanent record of your DMs (and your other Twitter activity) consider downloading your Twitter archive.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.
Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.


Source link