Online security: Birthday wishes inadvertently give away private information

Thousands of tweets every day expose other users’ date of birth, which could help criminals access their private accounts


31 January 2022

Happy senior woman waving hand at video call through smart phone while sitting on steps at home

A woman using a phone

Wavebreakmedia Ltd IP-211210 / Alamy

Every day, thousands of people are giving away private information about their friends that could compromise their online security – by wishing them happy birthday on social media.

Banks and other organisations often use a customer’s date of birth to verify their identity, and security experts therefore advise people not to mention it on social media. It is even protected as personal data under data protection laws in the UK and the European Union.

Dilara Kekulluoglu at the University of Edinburgh, UK, and her colleagues found more than 18 million Twitter posts that mentioned “happy birthday” in a 45-day period. Of those, 2.8 million directly mentioned a user, so they could be used to ascertain an individual’s birthday. More than 66,000 of these tweets also gave away the age of the user, and therefore their full date of birth.

Only around 2 per cent of the Twitter users mentioned in those posts shared their birth years on their profiles, so the team warns that well-wishers are exposing this information for users who haven’t proactively shared it themselves.

Kekulluoglu says that around 0.85 per cent of tweets in English contain the term “birthday”, and that the number of tweets revealing sensitive information may be even larger when misspellings or acronyms like “HBD” are taken into account.

“The information you leak and your networks leak, it’s one point in the data chain that could get malicious people closer to your account,” she says.

But she doesn’t think the solution is for us to stop wishing each other happy birthday online. “I wouldn’t want that,” says Kekulluoglu. “I think this is something that brings joy to people.”

“Date of birth was a good authentication because everyone had one, and it wasn’t that guessable if you’re not close to that person,” she says. “But now, with the introduction of social media, it’s no good. If any companies or organisations are using it, they need to move away from it.”


More on these topics: