Micro-blogging giant Twitter has agreed to settle charges by the Federal Trade Commission that it failed to safeguard the personal information of its users.
It is the first case the FTC has brought against a social networking site.
The agency’s complaint against Twitter alleges that lapses in data security allowed hackers to take “administrative control” last year of Twitter – including access to tweets designated by users as private.
Under the settlement, Twitter must establish and maintain a comprehensive security program that will be assessed by a third party every other year for 10 years.
The FTC said that between January and May 2009 hackers were able to “view non-public user information, gain access to direct messages and protected tweets, and reset any user’s password and send authorized tweets from any user account.”
Hackers were able to send out phony tweets pretending to be from then-President-elect Barack Obama, Fox News and other prominent personalities or entities, the FTC said.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”
The FTC said hackers used an automated password-guessing device to gain access.
The hackers then reset several user passwords, and posted some of them on a website where others could access them. Using the reset passwords, fraudsters sent phony tweets from about nine user accounts.
“One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline,” the FTC said.
According to the FTC complaint, Twitter was vulnerable because it failed to take the following steps:
- requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
- prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
- suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
- providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
- enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
- restricting access to administrative controls to employees whose jobs required it; and
- imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Here is the FTC’s complaint against Twitter.