The previous system had overly weak protection against gaining access to arbitrary unlisted content. I don't think the approach they're taking to deploying a security enhancement is the wrong one.
This Tweet is from a suspended account. Learn more
Conversation
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
This Tweet is from a suspended account. Learn more
If someone doesn't act on a notice about their content, I don't think the right move is their likely private content not being properly secured.
It's quite unfortunate that they apparently had a serious security design flaw in the previous system though. I wonder how old it is.
1
I don't see a better option than requiring people to either make the content public to keep the current URL or use a new properly secured system for sharing it.
They would be doing users a major disservice if they required taking action to avoid potential compromise of data.
1
This Tweet is from a suspended account. Learn more
Replying to
Phone numbers aren't a cryptographically strong access token. You could guess someone's password and log into their account but you can't guess the access token without it being made available to you in some way. At least, that's the intended security model from the beginning.