Twitter Settles with FTC Over Privacy Breach and Account Hacking

The Federal Trade Commission approved the settlement with Twitter over charges that the site's poor security practices led to two high-profile hacker attacks in 2009.

Under a settlement agreement, Twitter will be obligated to establish a more rigorous information-security policy to prevent user accounts from being hijacked.

The United States Federal Trade Commission finalized its settlement with Twitter over charges that the micro-blogging site did not safeguard user privacy and misled users about its security practices. The commissioners finalized the settlement-originally announced in June 2010-in a 5-0 vote on March 11, the FTC said.

The settlement addressed some "serious lapses in the company's data security," FTC said.

The agreement bars Twitter for 20 years from making misleading statements about "the extent to which it protects the security, privacy and confidentiality" of private user information. Twitter must establish and maintain a comprehensive information-security program that will be independently audited every two years, according the settlement.

Breaches to the agreement will result in fines of up $16,000 per violation. Twitter will also absorb the costs of the biennial audit.

Hackers were able to gain control of Twitter in two separate incidents between January and May of 2009, the FTC said in its original complaint. Hackers accessed 45 accounts in January and 10 in April, according to Twitter.

Hackers figured out the passwords of Twitter staffers in the January incident and used that access to read private messages and send out bogus status messages from more than two dozen accounts, including those of President Barack Obama, singer Britney Spears and former CNN anchor Rick Sanchez. The hackers also gained access to the accounts' e-mail addresses, mobile phone number if it was associated with the account, and the list of accounts blocked by users.

Twitter did not lock accounts after several incorrect login attempts, which allowed the hacker to submit thousands of guesses before figuring out the right password, which was a "weak, lower case, common dictionary word," according to the FTC.

A hacker gained access to a Twitter employee's personal e-mail account, which contained a Twitter administrative password stored in plain text, in the April incident.

Twitter said at the time that the incident was a "very serious breach of security," but noted that the company had responded very quickly to shut down the attacks.

The FTC said Twitter misled its users that it was taking appropriate security measures to safeguard their privacy. The company was using easily decipherable passwords, allowing employees to store information in vulnerable places, did not suspend accounts after a number of failed logins, did not set passwords to expire, and did not impose restrictions on administrator access, the FTC said.

At the time of the attacks, Twitter's privacy policy said the company was "very concerned about safeguarding the confidentiality of your personally identifiable information" and that Twitter employed "administrative, physical and electronic measures designed to protect your information from unauthorized access," the FTC said. Users were also given privacy settings that enabled them to designate their posts as private.

Twitter has removed that language from its current privacy policy on the site.

Twitter did not have an updated statement on the FTC settlement, but cited a blog post from June 2010 claiming the company has already implemented many of the suggested security practices.

While Twitter security may have improved since 2009, Twitter users are still getting their accounts hijacked. Actor Ashton Kutcher had his account taken over, apparently after he exposed his login credentials over an unsecured wireless network at the TED conference earlier this month.

That type of account takeover could be avoided if Twitter forced users to connect over a secure Web connection. Facebook rolled out that option on its site recently, but has not yet made it the default practice, or mandatory for all users.