The FTC charges that serious lapses in Twitter's data security allowed hackers to obtain administrative control of the social networking service, including access to tweets consumers had designated as private, and the ability to send out fake tweets from then-President-elect Obama and Fox News, among others.
"When a company promises consumers that their personal information is secure, it must live up to that promise," David Vladeck, director of the FTC's Bureau of Consumer Protection said in a statement. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."
Twitter lets users send "tweets" -- messages of 140 characters or less -- to "followers" who sign up to receive them via e-mail or phone text. Twitter's privacy settings allow users to designate certain tweets as nonpublic, such as "direct messages," which are visible only to the author and intended recipient. Twitter users can also activate a "Protect my tweets" setting, allowing only their approved followers to view their tweets.
But according to the FTC complaint, between January and May 2009, hackers gained administrative control of Twitter were able to view private user information, gain access to direct messages and protected tweets, and reset any user's password and send authorized tweets from any user account.
In January 2009, the FTC charged, a hacker used an automated password-guessing tool to gain administrative control of Twitter -- after submitting thousands of guesses into Twitter's log-in page. The administrative password was a weak, lower case, common dictionary word -- leaving Twitter's system wide open to password cracking.
The hacker then reset numerous user passwords and posted some of them on a Web site. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News.
During a second security breach, in April 2009, a hacker compromised a Twitter employee's personal e-mail account and found two passwords stored in plain text. Using this information, the hacker guessed the employee's administrative password and reset at least one Twitter user's password, as well as gaining the ability to access private user information and tweets for any Twitter user.
The FTC says Twitter was vulnerable to these attacks because it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:
- Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, web sites, or networks.
- Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts.
- Suspending or disabling administrative passwords after a reasonable number of unsuccessful log-in attempts.
- Providing an administrative log-in web page that is available only to authorized persons and separate from the user log-in page.
- Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days.
- Restricting access to administrative controls to employees whose jobs required it.
- Imposing other reasonable limits on administrative access, such as by restricting access to specified IP addresses.
Twitter must also establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years.
The FTC will shortly publish an announcement regarding the agreement in the Federal Register, which will be subject to public comment for 30 days, ending July 26, 2010. You can submit an electronic comment here.