Twitter yesterday said it's sorry personal information submitted when setting up multi-factor authentication "may have inadvertently been used for advertising purposes." Phone numbers and email addresses were made available to Twitter's Tailored Audiences and Partner Audiences advertising system. The company says it's introduced reforms to keep this from happening again, but security experts have received the disclosure coldly. Twitter's denial that "personal data was ever shared externally with our partners or any other third parties" seems ambiguous, but "externally" seems the operative word. Twitter apparently used the multi-factor authentication data to match users with advertisers' databases, the better to enable Twitter's customers (that is, advertisers) to target their pitches. Twitter's legal exposure is unclear. The Register says the US Federal Trade Commission declined to comment, but, as the Washington Post points out, the FTC fined Facebook over similar practices.
Kaspersky is following Reductor, a remote access Trojan that also manipulates certificates and marks outbound TLS traffic. The campaign affects Chrome and Firefox browsers, may have compromised ISPs, and is tentatively attributed to the Russian threat actor Turla. The victims appear confined to Russia and Belarus.
The US Senate Intelligence Committee has issued the second volume of its report, "Russian Active Measures Campaigns and Interference in the 2016 U.S. Election." It finds that Russian social media operations were overwhelmingly concerned with race, and that activity increased after Election Day.
Patch Tuesday was relatively light. Microsoft issued sixty fixes, nine of which were rated "critical," Help Net Security summarizes. Adobe didn't peep.