In FTC Settlement, Twitter Agrees to Improve Privacy Protection
The FTC's case against Twitter, the agency's first lawsuit against a social networking site, accused the company of serious lapses in data security that allowed hackers to take control of the popular site twice in 2009. On those occasions, hackers gained access to the personal information of Twitter users and sent out fake tweets from President Obama and Fox News, among others.Under the terms of the settlement, first announced in June 2010, Twitter will be prohibited for 20 years from misleading consumers about the extent to which it protects the security, privacy and confidentiality of private consumer information.
The settlement also applies to actions Twitter takes to prevent unauthorized access to private information and requires it to honor privacy choices made by users. To that end, Twitter must also establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.
But according to the FTC complaint, hackers were twice able to take administrative control of Twitter between January and May 2009. In January 2009, a hacker used automated password-guessing software to gain control of Twitter -- after submitting thousands of wrong guesses into Twitter's log-in page. The administrative password was a weak, lower case, common word, leaving Twitter's system open to password cracking.
The hacker proceeded to reset numerous user passwords and posted some of them on a website for anyone to access. Using these reset passwords, other hackers sent phony tweets from user accounts. One tweet was sent from the account of then-President-elect Obama, offering his 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the Fox News account.
During a second security breach in April 2009, a hacker compromised a Twitter employee's personal email account and found two passwords stored in plain text. Using this information, the hacker correctly guessed the employee's administrative password and reset at least one Twitter user's password. The hacker also gained the ability to access private user information and tweets for every Twitter user.