Twitter has settled with the Federal Trade Commission on charges that it deceived consumers and put their privacy at risk. The social networking service has agreed to periodic third-party reviews of its security program over the next decade.
Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices.
general counselTwitter Inc.
In the federal agency's first case against a social networking service, Twitter admitted it had numerous security issues that led to multiple breaches of its systems. According to the FTC complaint, between January and May 2009, hackers who gained administrative control of Twitter were able to view nonpublic user information, gain access to direct messages and protected tweets and reset any user's password and send authorized tweets from any user account.
Under the terms of the settlement, Twitter must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years. The company is also barred from misleading statements about its security and privacy controls.
Careless Twitter security policies
The FTC charged that Twitter had serious lapses in its data security allowing hackers to gain access to Twitter's systems. Twitter failed to require employees to use strong administrative passwords, it didn't prohibit employees from storing admin passwords in plain text in their email accounts and it failed to disable administrative accounts after a reasonable number of unsuccessful login attempts.
The administrative password used by the hackers to gain access to the inner-workings of the service was a weak, lower case, common dictionary word, the FTC said. The Twitter administrative login webpage was not separate from the login page for users. Twitter also didn't enforce periodic changes to administrative passwords.
In January 2009, a hacker used a password cracking program to gain administrative control of Twitter, after submitting thousands of guesses into Twitter's login webpage, the FTC said. The hacker then reset numerous user passwords and posted some of them on a website, where other people could access them.
The lapses in security enabled other intruders to access tweets that consumers had designated private and had the ability to send out phony tweets. Up to 45 high-profile accounts were hacked, including President-elect Barack Obama, pop singer Britney Spears, media outlet Fox News and CNN anchor Rick Sanchez.
During a second security breach, in April 2009, a hacker compromised a Twitter employee's personal e-mail account where two passwords similar to the employee's Twitter administrative password were stored, in plain text, the FTC said. Using this information, the hacker was able to guess the employee's Twitter administrative password. The hacker reset at least one Twitter user's password, and could access private user information and tweets for any Twitter users.
"When a company promises consumers that their personal information is secure, it must live up to that promise," David Vladeck, director of the FTC's Bureau of Consumer Protection said in a statement. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."
In a blog post, Twitter general counsel Alexander Macgillivray said Twitter has already taken precautions, closing the security hole that led to the two security incidents. The agreement resolves the FTC's concerns and formalizes Twitter's commitment to the security practices it put in place, Macgillivray wrote.
"Within hours of the January breach, we closed the security hole and notified affected account holders," Macgillivray wrote. "We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users. We also posted this blog item about the incident within a few days of first learning about it."