The Federal Trade Commission approved the settlement with Twitter over charges that the site's poor security practices led to two high-profile hacker attacks in 2009.
Under a settlement
agreement, Twitter will be obligated to establish a more rigorous information-security
policy to prevent user accounts from being hijacked.
The United States Federal
Trade Commission
finalized
its settlement with Twitter over charges that the micro-blogging site did
not safeguard user privacy and misled users about its security practices. The
commissioners finalized the settlement-originally announced in June 2010-in a
5-0 vote on March 11, the FTC said.
The settlement addressed
some "serious lapses in the company's data security," FTC said.
The agreement bars Twitter
for 20 years from making misleading statements about "the extent to which it
protects the security, privacy and confidentiality" of private user
information. Twitter must establish and maintain a comprehensive
information-security program that will be independently audited every two
years, according the settlement.
Breaches to the agreement
will result in fines of up $16,000 per violation. Twitter will also absorb the
costs of the biennial audit.
Hackers were able to gain
control of Twitter in two separate incidents between January and May of 2009,
the FTC said in its
original
complaint. Hackers accessed 45 accounts in January and 10 in April,
according to Twitter.
Hackers figured out the
passwords of Twitter staffers in the January incident and used that access to
read private messages and send out bogus status messages from more than two
dozen accounts, including those of President Barack Obama, singer Britney
Spears and former CNN anchor Rick Sanchez. The hackers also gained access to
the accounts' e-mail addresses, mobile phone number if it was associated with
the account, and the list of accounts blocked by users.
Twitter did not lock
accounts after several incorrect login attempts, which allowed the hacker to
submit thousands of guesses before figuring out the right password, which was a
"weak, lower case, common dictionary word," according to the FTC.
A hacker gained access to a
Twitter employee's personal e-mail account, which contained a Twitter
administrative password stored in plain text, in the April incident.
Twitter said at the time
that the
incident
was a "very serious breach of security," but noted that the company had
responded very quickly to shut down the attacks.
The FTC said Twitter misled
its users that it was taking appropriate security measures to safeguard their
privacy. The company was using easily decipherable passwords, allowing
employees to store information in vulnerable places, did not suspend accounts
after a number of failed logins, did not set passwords to expire, and did not
impose restrictions on administrator access, the FTC said.
At the time of the attacks,
Twitter's
privacy policy
said the company was "very concerned about safeguarding the
confidentiality of your personally identifiable information" and that
Twitter employed "administrative, physical and electronic measures
designed to protect your information from unauthorized access," the FTC
said. Users were also given privacy settings that enabled them to designate
their posts as private.
Twitter has removed that
language from its current privacy policy on the site.
Twitter did not have an
updated statement
on the FTC settlement, but cited a blog post from June 2010 claiming the
company has already implemented many of the suggested security practices.
While Twitter security may
have improved since 2009, Twitter users are still getting their accounts hijacked.
Actor Ashton Kutcher had his account taken over, apparently after he exposed
his login credentials over an unsecured wireless network at the TED conference
earlier this month.
That type of account
takeover could be avoided if Twitter forced users to connect over a
secure
Web connection. Facebook rolled out that option on its site recently, but
has not yet made it the default practice, or mandatory for all users.
Email
Print
