Wednesday 9th June 2021
Typically, today would have been Warcraft Wednesday and most of my day would have been spent doing the weekly quests on all my alts. But C is having workmen in tomorrow and it clashed with their covid jab, so I’ll be house sitting.
As a result, it will be unlikely I’ll be able to concentrate if other people are around, so I’ve moved Warcraft Wednesday until tomorrow.
A lot of my time today has been spent on my suspended Twitter account. Back at the end of March, my Twitter account got compromised and posted 3 identical nasty tweets. It resulted in my account being suspended, which given the nature of these tweets I could understand.
They had happened when I was asleep, alone in my own house, with all my devices in the house and my computer turned off. I also have 2FA.
So it got me wondering how they got in. Because my account was suspended (and Twitter weren’t budging), I couldn’t access a lot of areas to get the information I needed, despite Twitter saying I should be able to. It took a complaint to their Data Protection Office before anything was done. However, I had suspected that the only place the tweets could have come from was a connected app.
You know when you get offered to log in with your Facebook account, or allow a game to auto tweet your achievements? That basically works because you give permissions for one app to talk to another through what is know as an API. And if one app gets compromised it could tell the other app to do something you might not want it to. This is why you should always question when granting permissions to an app. Why does this game need access to my camera?
As a rule, I’m fairly careful about what I grant permissions to, but after years of twitter and wanting to automate things such as tweeting when I post a new edition of The Climb, there are a few however.
Now sometimes one app speaks ‘French’ and the other speaks ‘English’. There are a number of services out there which basically translate one api to another. And they can do all manners of cool things like flash your lights when the Space Station is flying overhead, or email you if it’s going to rain tomorrow.
I’d used one of these a few years ago called IFTTT to read tweets from a certain account and post them to Discord.
When the Twitter data finally came back, it pointed to IFTTT which was interesting. First of all, the logs were pretty basic and didn’t go back far enough (prompting another data request) but inside the service, I’d only given permission for it to read tweets. I wondered if a hacker could have created a new rule and then deleted it. But all ‘rules’ get archived, and there was nothing there.
Now IFTTT state in their privacy policy that if you have a question about your data and are in the UK to email a UK address. Which I did, to get an autoresponder that said, the email would not be read. So I emailed the US address, and got the same.
I ended up speaking to the Information Commissioner’s Office who were super helpful and gave me a template letter to post to IFTTT, which I did (copying in their UK address as well).
So today I got a email response (after 3 and a half weeks that basically said, sorry too late we only keep data for a month). That means I would have had to have put the request in within 3 or 4 days of the original event happening to get a response. Doesn’t make sense.
Now I know a little about Security best practises, and I can tell you keeping data for just a month isn’t normal, but I wasn’t sure it was technically illegal. Cue me spending a lot of my day chatting to IT colleagues about various IT standards across the UK, Europe and the world. General consensus is that holding event logs for a month seems very odd.
The plan was to phone the ICO again tomorrow for more advice as they would know, but then I find that there was an incident that resulted in similar things happening to other accounts. Apparently, those impacted were emailed by the CEO about it explaining how it wasn’t a security incident. I’ve checked my email and spam folder and I received nothing.
But I find myself asking, if this was a genuine mistake, why wouldn’t the company keep event logs from the incident, and secondly, mention it when contacting me?
I suspect they are trying to cover up something.
Originally, I just wanted to understand what had happened, and to try and get my Twitter account back. Now, they’ve been sneaky, I’m a little pissed at them and want some token of compensation.
- Twitter: @figures
- Facebook: https://www.facebook.com/adrianfaulknerwriter/
- Instagram: AdrianFaulkner
Past Issues: 837 | 836 | 835 | 834 | 833 | 832 | 831 | 830 | 829 | 828 | 827 | 826 | 825 | 824 | 823 | 822 | 821
820 | 819 | 818 | 817 | 816 | 815 | 814 | 813 | 812 | 811 | 810 | 809 | 808 | 807 | 806 | 805 | 804 | 803 | 802 | 801 | 800
799 | 798 | 797 | 796 | 795 | 794 | 793 | 792 | 791 | 790 | 789 | 788 | 787 | 786 | 785 | 784 | 783 | 782 | 781
780 | 779 | 778 | 777 | 776 | 775 | 774 | 773 | 772 | 771 | 770 | 769 | 768 | 767 | 766 | 765 | 764 | 763 | 762 | 761
760 | 759 | 758 | 757 | 756 | 755 | 754 | 753 | 752 | 751 | 750 | 749 | 748 | 747 | 746 | 745 | 744 | 743 | 742 | 741
740 | 739 | 738 | 737 | 736 | 735 | 734 | 733 | 732 | 731 | 730 | 729 | 728 | 727 | 726 | 725 | 724 | 723 | 722 | 721
720 | 719 | 718 | 717 | 716 | 715 | 714 | 713 | 712 | 711 | 710 | 709 | 708 | 707 | 706 | 705 | 704 | 703 | 702 | 701
700 | 699 | 698 | 697 | 696 | 695 | 694 | 693 | 692 | 691 | 690 | 689 | 688 | 687 | 686 | 685 | 684 | 683 | 682 | 681
680 | 679 | 678
Past Years: 2020 – The Year of Being Fearsome | 2019 – The Year of Soldiering Through | 2018 – The Year of Priorities | 2017 – The Year Of The Offensive
Leave A Comment