Twitter settles with FTC over data security lapses

Jun 24, 2010 By JOELLE TESSLER , AP Technology Writer

(AP) -- Twitter has agreed to settle charges by federal regulators that it put the privacy of its users at risk by failing to protect them from data security lapses last year that let hackers access their accounts.

The said Thursday the settlement bars from misleading consumers about its security and privacy practices and requires the start-up to establish a comprehensive information security program.

No monetary damages were assessed.

The FTC complaint said the breaches allowed hackers to gain administrative control over the online service, which lets users send brief messages called tweets to each other. According to the FTC, hackers were able to view email addresses and other private user information, gain access to user messages, reset user passwords and send phony tweets from user accounts.

At least one phony tweet was sent from the account of Fox News and another phony tweet was sent from the account of then-President-elect Barack Obama offering more than 150,000 followers a chance to win $500 in free gasoline, the FTC said.

The agency charges the incidents deceived users because Twitter's privacy policy pledged to "employ administrative, physical, and electronic measures designed to protect your information from unauthorized access."

"When a company promises consumers that their personal information is secure, it must live up to that promise," David Vladeck, head of the FTC's Bureau of Consumer Protection, said in a statement.

One breach occurred in January 2009 after a hacker used an automated password-guessing tool to gain control of Twitter. The second breach occurred in April 2009 after a hacker broke into a Twitter employee's personal email account, which stored two passwords that were very similar to the employee's administrative password for Twitter.

The FTC said Twitter was vulnerable to these attacks because it used weak, lower case common dictionary words as administrative passwords and failed to take reasonable steps to prevent unauthorized access to its system. Such steps include prohibiting employees from storing administrative passwords in plain text in their email accounts, periodically changing administrative passwords and restricting access to administrative controls.

In a blog post, Twitter General Counsel Alexander Macgillivray said that even before the company reached the agreement with the FTC, it had already implemented many of the security practices highlighted by the agency. He added that the company quickly closed the security holes, notified affected users and disclosed what had happened in blog posts following both incidents.

Macgillivray also noted that Twitter employed fewer than 50 people when the breaches occurred.

"At the time of the incidents, we were ... in the midst of perhaps unprecedented user growth for an Internet company; and, didn't employ the security methods that we use today," the company said on Thursday.

Twitter said 45 accounts were accessed in the first incident and 10 accounts in the second incident.

Explore further: LinkedIn membership hits 300 million

4.3 /5 (16 votes)
add to favorites email to friend print save as pdf

Related Stories

Twitter hacked by old technique -- again

Jul 15, 2009

(AP) -- Breaking into someone's e-mail can be child's play for a determined hacker, as Twitter Inc. employees have learned the hard way - again.

Suspected Twitter infiltrator: 'I'm a nice hacker'

Mar 25, 2010

(AP) -- He's unemployed and isn't much of a computer expert. The Frenchman accused of infiltrating Twitter and peeping at the accounts of President Barack Obama and singers Britney Spears and Lily Allen says he wanted to ...

Twitter bug zaps followers (Update)

May 10, 2010

Twitter was bitten by a bug on Monday that caused users of the fast-growing micro-blogging service to temporarily lose the list of followers of their accounts.

Recommended for you

LinkedIn membership hits 300 million

12 hours ago

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

18 hours ago

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

22 hours ago

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 0

More news stories

LinkedIn membership hits 300 million

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

Impact glass stores biodata for millions of years

(Phys.org) —Bits of plant life encapsulated in molten glass by asteroid and comet impacts millions of years ago give geologists information about climate and life forms on the ancient Earth. Scientists ...