You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Also, that the internal account takeover happened at *all*, presumably remotely, is inexcusable in 2020. If your corporate authentication does not require non-spoofable 2FA (e.g. U2F/WebAuthn) to achieve this level of access, you are doing many things wrong.
And apparently Twitter is retaliating against users tweeting screenshots of the internal tool (even censored of private info), which speaks volumes as to their priorities during this kind of massive security incident.
Remember this is apparently a *support tool*. The issue of insider access from *engineers* is a tricky one, because ultimately engineers need to be able to engineer the system. It's possible, but tricky, to build sufficient controls around engineering procedures.
But support tools? There should be high-level overrides for all of that stuff, and auditing up the wazoo, at the very least a kill switch that is always accessible to on-call engineers/security team. It should've taken minutes to identify and lock out the attack.
There is absolutely no reason why anything someone working for Twitter support does shouldn't be immediately identifiable, controllable, and reversible by someone at a higher level, on-call, as soon as it happens. We have access hierarchies for a reason.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
