‘Breach’ Day: What Twitter and Instagram’s Third-Party Privacy Leaks Mean for Marketers

By: Sophie Maerowitz

August 8, 2019

By now, every social media marketer should be on the lookout for the privacy breaches impacting brands at an alarming rate. A report from cybersecurity firm 4iQ found a 71 percent increase in identity records being “circulated underground” in 2018; the U.S. and China had the largest share (47%) of identity records compromised worldwide.

Meanwhile, marketers working at smaller brands may be less safe than they think: The study found an increasing number of breaches in small businesses and government agencies—illustrating that the perils of data leaks are not limited to household names like Capital One or Equifax.

Recent developments in Twitter‘s and Instagram‘s data use and targeting practices should set off warning bells: Even if a privacy breach doesn’t occur on your owned digital properties, those who regularly see your sponsored posts on social could hold you accountable.

Given the risks inherent in the current online climate, and the benefits of remaining transparent, staying on top of the latest happenings at the major platforms—and how they relate to your business—is crucial. If you are aware of your customers’ concerns as social media content consumers, you can quickly acknowledge their worries and better maintain their trust, no matter what’s brewing at the major social platforms. Furthermore, you can offer senior leaders of-the-moment insights when they read the latest Silicon Valley headlines, storm your office and ask, “Should we be worried about this?”

Here are two platform breaches to be aware of, especially if your brand targets potential customers on Instagram or Twitter.

Instagram data scraping by a platform partner

In what Business Insider has called a “combination of configuration errors and lax oversight,” Instagram’s (now-former) marketing partner Hyp3r has been sent a cease-and-desist letter from the platform for hoarding user location data. Business Insider, which approached Instagram with the story before it broke, interviewed several former Hyp3r employees about the vulnerabilities in Instagram’s API that offered the firm nearly limitless access to user locations.

In addition to scraping location data from millions of Instagram feed posts, which Hyp3r used to craft a database for its clients—namely hotels, restaurants, sports venues and casinos—the firm also saved Instagram Stories, an underhanded move given that most users consider their Stories as temporary as the 24-hour window in which they’re visible.

Time will tell whether Instagram will suffer the same level of public scorn as parent company Facebook in the wake of the Cambridge Analytica scandal. Still, the existence of yet another opportunistic data harvesting effort by an official partner could tarnish the platform’s reputation for those who have since abandoned Facebook for its cooler younger sibling.

A screenshot from Hyp3r’s landing page

Twitter data settings snafu

On Aug. 6, Twitter published a notice on the company blog noting that some of the privacy and data settings offered by the platform “may not have worked as intended” from May 2018 onward. Users who clicked an ad for a mobile app, and later opened the Twitter app on their phone, may have had their conversions tracked by Twitter’s third-party ad tech partners, even if they opted out of such tracking. These conversions may have included “country code, if you engaged with the ad and when” and “information about the ad.”

The setting in question, ostensibly, is the option to “share your data with Twitter’s business partners”—in other words, the ad tech companies that facilitate Twitter’s real-time bidding for brand advertisers. Similarly, “ads based on inferences” around users’ device usage were served regardless of whether they checked the box allowing Twitter to “personalize based on your inferred identity.” 

The platform said it had fixed both issues on Aug. 5. TechCrunch’s Natasha Lomas posited that the window in which the bugs were active were impacted by GDPR’s going into effect in May 2018, and noted that it mirrored a similar issue in May 2019 that “resulted in an account’s location data being shared with a Twitter ad partner, during real-time bidding (RTB) auctions.”

The big takeaway for marketers? Vet your third-party social media technicians mercilessly. Check their miracle-cure offerings against the major platforms’ increasingly specific privacy guidelines, or risk getting caught in the crossfire when the next privacy breach violation hits the fan.

Follow Sophie: @SophieMaerowitz