Is it time to stop using Twitter as a free support platform?

If there’s one thing that the Covid pandemic has highlighted it’s that we’re far from ready for an ‘all online’ approach to running our daily lives. We’ve entered the weirdest phase so far in our juvenile approach to handling sensitive customer data. We’re now positively encouraging people to send personal information via 3rd party public forums, such as Twitter or Facebook. This would be fine if it wasn’t for two things: a) it’s a 3rd party and b) it’s a public forum. Not only is this a terrible approach to customer service but it’s also dangerous and massively short sighted. Is it time to stop using Twitter as a free CRM platform?

Customer service is vanishing

We’ve just moved house. We’ve moved a lot over the years but this is our first upheaval for a little while. Sadly, despite awareness of GDPR, in the seven years since our last move things seem to have gone from bad to worse in terms of data privacy and information security. If organisations aren’t careful this is going to come back and bite them in a big way. For some it may already be too late.

Take for example the basic task of telling a company about your new address or ordering broadband. In the past you’d at least have been able to call a company up and speak to someone about such basic tasks but this is becoming increasingly difficult and in some cases completely impossible. Excessive on-hold times, non-functional online chat and in many cases no telephone support at all.

Chat systems are often offline
This is becoming a more and more common sight. Telephone support down, online chat down… the only option left is Twitter. But hang on just a minute!

Now to be fair we have had a global pandemic to deal with but this has only served to highlight how painfully ill prepared we are for an ‘all online’ approach to running a business.

Is Twitter a free CRM system?

The really worrying trend in all of this is that more and more companies are forcing customers to use 3rd party platforms such as Twitter or Facebook to get in touch and discuss sensitive matters. Let me make this perfectly clear: Twitter and Facebook aren’t designed to be free CRM systems for your business. Both of these organisations are advertising platforms. They’re designed to scrape as much personal information from their users as possible in order to present them with highly targeted adverts. You can dress it up how you like but that is their business model. There are huge security risks to using these platforms for customer support and it’s frankly arrogant to assume your customers even have accounts with these companies. Most people don’t use Twitter and a huge number of people are abandoning the platform every day. It never was and never will be designed to be a support platform. Yet hundreds if not thousands of high profile companies are still using Twitter as a primary contact method.

Support via Twitter often the only route when all the phone lines are busy
More and more banks seem to be relying on Twitter for customer support. A dangerous precedent! This bank’s two primary contact methods are telephone and Twitter.

Fundamental security concerns

Let’s talk about the basics of dealing with sensitive customer information. At the time of writing it’s 2020 and data protection is no longer something you can brush under the carpet. GDPR has been around for a couple of years now and there’s frankly no excuse for some of the practices I see from big companies on a daily basis. Let’s discuss a couple of immediate security concerns.

Firstly, in the modern age of identity theft and phishing scams, it’s a massive security risk to broadcast to the entire planet what company you use for a particular service. It gives potential hackers an amazing head start. A mere glance at someone’s tweets can give you a full profile of who their utility provider is, who their mobile phone contract is with and what ISP they use. Do you understand how risky this is?

You’re probably using your mobile phone for 2-factor authentication for everything from online banking to tax returns and you’ve just told the entire planet who your provider is. Look up SIM swap scams. All they need to do is contact your provider pretending to be you, “Hi, my SIM card seems to be broken. I have a new one here – can you switch my number to this new SIM?”. They ask a few basic security questions that can be answered from personal information you’ve carelessly shared with the world and bam – access to every account secured via your mobile phone. When I see the private information that some customers wilfully divulge on public platforms it makes me wonder what’s being taught in school with regards to the most basic of levels personal information security.

EDF Energy on Twitter
Confidential information is wilfully shared via 3rd party organisations such as Twitter on a daily basis.
Lack of concern for information security is worrying
This user also shares their actual photograph, date of birth and what they do for a living.
Bulb energy use Twitter for customer support
So a potential hacker knows what utility company you use. How about your e-mail address, full postal address, full name and date of birth too? How confident are you that Twitter will keep this information secure?

In a nutshell, asking customers to get in touch via a public tweet is a VERY bad idea. Especially for sensitive services such as banking, ISPs, utility companies or mobile phone providers. OK, so let’s just get them to send direct messages? Surely that gets us off the hook for sorting out our own CRM system? Well I’ve got bad news for you.

The great Twitter hack of 2020

On the 15th July 2020 Twitter was subject to the most dangerous hack in the history of social media. The accounts of politicians, business elites and celebrities were targeted with what looked like, on the surface, a Bitcoin scam.

The great Twitter hack of 2020
Some of Twitter’s biggest accounts were hacked from inside Twitter’s own systems. Twitter later admitted that private messages (DM’s) had also been accessed.

Hugely influential people were targeted such as Barack Obama, Joe Biden, Bill Gates, Elon Musk, Apple, Uber and Jeff Bezos. Some of the most powerful people and companies on the planet. The content of the hack isn’t the worrying part. Yes, some people have lost some money in a stupid scam. However a great deal more has been lost and that’s only clear when you consider what had to happen to allow all of this to take place.

In was obvious from square one that this wasn’t a normal hack. This wasn’t a case of passwords being ‘guessed’ or social engineering on behalf of the hack victims. That’s an awful lot of effort to gain simultaneous access to some of the biggest Twitter accounts on the planet. When multiple high profile accounts are hacked at the same time it’s the sign of a much bigger and more serious problem. Strong passwords were irrelevant. 2-factor authentication had been bypassed. These accounts were hacked from INSIDE Twitter. Let that sink in for a moment. The Bitcoin bit is a red herring. It’s like that a criminal group had gained access to Twitter’s internal systems. ALL security had been by-passed. Forget about the targeted accounts – the hackers almost certainly had access to EVERY account on Twitter. Not just public tweets but Twitter later admitted that DMs had been accessed too. Worse still, this isn’t the first time that it’s happened! According to this article Twitter has more than 1,500 full-time employees and contractors who have access to make changes to user accounts. Wait what?!? Even people who aren’t directly employed by Twitter have access to user accounts? And what’s that… they were warned about this back in 2015?

According to this Bloomberg article in 2017 & 2018 contractors made a game out of raising bogus helpdesk calls that allowed them to peek in to celebrity accounts. This also gave them location information from the user’s IP address.

Sent any DMs via Twitter lately?

If this doesn’t send a chill down your spine then you need to stop using technology. Walk away from your computer and revert to pen and paper. Whether you’re a customer or a company you need to have a long hard think about what’s going on here.

How many companies who use Twitter as a free support platform go on to say to their customers “Can you drop me a DM with your personal details?”. Forget about the public tweets. How much personal information has been sent to big companies via direct messages on Twitter? The hackers potentially have a copy of ALL that data.

Don't use a 3rd party to hand over confidential ISP details
So hackers now potentially know who your ISP is along with all of your private account information shared via a DM.

Twitter openly confirmed that:

  • Hackers had access to e-mail addresses and phone numbers for a number of Twitter accounts
  • Hackers accessed the DM inbox of at least 36 accounts
  • Up to 8 of the hacked accounts had a full personal data extraction performed using the ‘Your Twitter Data’ tool
  • Twitter don’t know for certain what other private information was accessed from their 330 million strong user base
That’s right folks, the hackers also performed a full data extraction for 8 of the hacked accounts.

Was it really only 130 accounts?

The other thing you need to consider is that the systems were probably hacked way before 10pm on the 15th July. I’m not a hacker but I’ve worked with legitimate hackers over the years – nice folk employed by big companies to test their defences and expose some of their ridiculously stupid security loopholes. If I was an unscrupulous hacker looking to profit from the biggest social media hack in history and had direct to Twitter’s internal systems there’s NO WAY I’d be doing anything public until I’d done a couple of basic things:

Firstly I would copy as much sensitive information from their systems as possible. Naturally this would include historically stored direct messages. What’s your providers’ policy for dealing with DMs on Twitter when a case has been closed? Do you care? Of course you don’t. You know all that highly sensitive information you gave your ISP or utility company? Yes, that.

Moving on, I would target blue checkmarks and the wealthiest people of the planet. I would also target ISPs, mobile phone providers and utility companies… to name but a few. I would take a copy every direct message I could get my hands on. I would then either a) sell this information for a LOT of money, b) hold the companies to ransom, c) hold the users to ransom or d) keep it for a rainy day.

So you know when you contact your ISP via Twitter and they ask you to DM your username and other highly sensitive personal data? Yeah, I would now have all that information.

A lot of organisations are learning that this approach to customer service is a bad idea
Highly confidential private information is being shared via Twitter DMs on a daily basis.

Now a lot of this is just speculation since Twitter haven’t publicised exactly what information was accessed by the hackers (I doubt they know). But this is serious. Very serious.

Zen Internet use Twitter for customer support
Sharing personal information about your ISP on a global 3rd party platform is a very bad idea.

Secondly and most obviously, I’d give myself a back door to gain access to their systems again at a later date. Twitter had 4,600 employees in September 2019. How many had remote access? It’s not beyond the pale to assume that existing administrative accounts are still compromised. Only once I was completely finished would I pull the final stunt and alert them to the fact that I’d been there via a Bitcoin scam.

World War Twitter?

In all of this I haven’t even touched on the potential implications for global politics. I tend to avoid such subjects on this site but we are living in an age where it might be possible to declare war on a country via Twitter. I would hope safeguards are in place to prevent ‘pressing the button’ due to a rogue tweet. But it would only take a handful of inflammatory messages from opposing sides to trigger a security incident that makes this hack look like the work of a preschooler.

Now perhaps this was all just an attempt to make some cash. Perhaps they didn’t get a chance to do anything beyond what was made public. I’ll be amazed if that’s the case but let’s be optimistic. However this whole event highlights the sheer stupidity and irresponsibility of using Twitter as a free customer support platform. It was never designed for this.

The hackers aren’t the criminals here. To an extent even Twitter aren’t to blame. The true bandits are the big companies having such an irresponsible attitude to personal data. So how do we fix this? What’s a better approach? I’ll save that for a future article but all I can say for now is that in my humble opinion it’s time to stop using Twitter as a free customer support platform. You’ve been warned.

If you spot any errors in this article please get in touch. Don’t forget to subscribe on YouTube and remember you can also support the channel via Patreon where you’ll find some extra content that might be useful. Please also join my mailing list so I can keep in touch with you outside the world of YouTube. I always try to be 100% privacy focused and you can unsubscribe at any time.

Thank you for supporting this independent website and best of luck on your small business journey!

Originally published: 29th July 2020
Last updated: 29th July 2020

Andy Mac