Twitter Settles FTC Security Complaint
Twitter and the Federal Trade Commission have reached a settlement over charges that the microblogging service failed to protect user privacy in two security incidents last year.
The FTC complaint centered on a January 2009 incident in which an attacker used an automated password-guessing tool to gain administrative control of Twitter and reset numerous passwords. The attacker posted the Twitter passwords on a Website where other people accessed them and used them to send phony tweets.
The complaint also touched on an incident in April in which a hacker compromised a Twitter employee's personal e-mail account and found two passwords similar to the employee's Twitter administrative password stored in plain text, according to the FTC. The hacker was able to then guess the employee's Twitter administrative password and reset at least one Twitter user's password, and had the power to access private user information and tweets for any Twitter user.
"There were 45 accounts accessed in a January incident and 10 that April for short periods of time," Alexander Macgillivray, Twitter's general counsel, wrote June 24 on the Twitter blog. "In the first incident, unauthorized joke tweets were made from nine accounts and attackers may have accessed nonpublic information such as e-mail addresses and mobile phone numbers. In the second, nonpublic information was accessible and at least one user's password was reset."
According to the FTC, Twitter was vulnerable to the attacks because, "It failed to take reasonable steps to prevent unauthorized administrative control of its system, including:
- requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
- prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
- suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
- providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
- enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
- restricting access to administrative controls to employees whose jobs required it; and
- imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses."
"When a company promises consumers that their personal information is secure, it must live up to that promise," David Vladeck, director of the FTC's Bureau of Consumer Protection, said in a statement. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."
Macgillivray noted that Twitter has "implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."
He also said, "Within hours of the January 2009 breach, we closed the security hole and notified affected account holders." In the second incident, the hacker's administrative access was removed "within less than 18 minutes of the attack," and once again the victims were notified, he said.
A Twitter spokesperson told eWEEK Twitter is a different company than it was when the attacks occurred in 2009. At the time of the January incident, the company had 22 people; in April, it had 40.
"We felt it was important to put the 11-month inquiry behind us ... We have since implemented a number of industry best practices in attempts to minimize attacks and dedicated ourselves to building a world-class Trust & Safety team that is one of our largest organizations in our now 200 person-plus company," the spokesperson said.