Under a settlement agreement, Twitter will be obligated to establish a more rigorous information-security policy to prevent user accounts from being hijacked.
The United States Federal Trade Commission finalized its settlement with Twitter over charges that the micro-blogging site did not safeguard user privacy and misled users about its security practices. The commissioners finalized the settlement-originally announced in June 2010-in a 5-0 vote on March 11, the FTC said.
The settlement addressed some “serious lapses in the company’s data security,” FTC said.
The agreement bars Twitter for 20 years from making misleading statements about “the extent to which it protects the security, privacy and confidentiality” of private user information. Twitter must establish and maintain a comprehensive information-security program that will be independently audited every two years, according the settlement.
Breaches to the agreement will result in fines of up $16,000 per violation. Twitter will also absorb the costs of the biennial audit.
Hackers were able to gain control of Twitter in two separate incidents between January and May of 2009, the FTC said in its original complaint. Hackers accessed 45 accounts in January and 10 in April, according to Twitter.
Hackers figured out the passwords of Twitter staffers in the January incident and used that access to read private messages and send out bogus status messages from more than two dozen accounts, including those of President Barack Obama, singer Britney Spears and former CNN anchor Rick Sanchez. The hackers also gained access to the accounts’ e-mail addresses, mobile phone number if it was associated with the account, and the list of accounts blocked by users.
Twitter did not lock accounts after several incorrect login attempts, which allowed the hacker to submit thousands of guesses before figuring out the right password, which was a “weak, lower case, common dictionary word,” according to the FTC.
A hacker gained access to a Twitter employee’s personal e-mail account, which contained a Twitter administrative password stored in plain text, in the April incident.
Twitter said at the time that the incident was a “very serious breach of security,” but noted that the company had responded very quickly to shut down the attacks.
The FTC said Twitter misled its users that it was taking appropriate security measures to safeguard their privacy. The company was using easily decipherable passwords, allowing employees to store information in vulnerable places, did not suspend accounts after a number of failed logins, did not set passwords to expire, and did not impose restrictions on administrator access, the FTC said.
Twitter did not have an updated statement on the FTC settlement, but cited a blog post from June 2010 claiming the company has already implemented many of the suggested security practices.
While Twitter security may have improved since 2009, Twitter users are still getting their accounts hijacked. Actor Ashton Kutcher had his account taken over, apparently after he exposed his login credentials over an unsecured wireless network at the TED conference earlier this month.
That type of account takeover could be avoided if Twitter forced users to connect over a secure Web connection. Facebook rolled out that option on its site recently, but has not yet made it the default practice, or mandatory for all users.