The Federal Trade Commission announced Thursday that Twitter had addressed seven security vulnerabilities which allowed a hacker to gain access to several accounts last year -- including that of then-candidate Barack Obama. The agreement ends a probe that could lead to fines of up to $16,000 per infraction, should Twitter disobey the resulting consent order.
In addition to citing security vulnerabilities, the FTC claims Twitter misled its users by promising that their accounts were secure when they were not. However, Twitter has shored up all seven vulnerabilities to the feds' satisfaction, and says it solved most of the problems soon after the accounts were breached in January and April of 2009.
"When a company promises consumers that their personal information is secure, it must live up to that promise," said FTC Bureau of Consumer Protection director David Vladeck in a statement. "Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."
The decision will likely be finalized as a consent order after a pro forma 30-day public comment period.
In January 2009, a hacker guessed an all-lowercase administrative password that was an actual word, gaining access to "numerous" Twitter accounts – including that of Barack Obama -- resetting their passwords and posting some of the new passwords online. Nine of these accounts were used by the hacker or others to send messages. Obama's Twitter followers, for instance, received an offer for $500 worth of free gasoline. The FTC mentioned that Fox News' account was also used to send at least one fraudulent message.
Note to social networks: If you want to draw federal scrutiny, allow hackers access to the account of the president (then, the president-elect). But Twitter's security woes didn't end there.
The following April, a hacker accessed a Twitter employee's e-mail account and found two passwords there, from which he or she was able to ascertain the employee's administrative Twitter password. As in the previous attack, the hacker reset at least one user's password, and was able to access direct messages and other private communications in any number of accounts.
The settlement bars Twitter from misleading consumers about the security of their personal information for the following 20 years, and forces it to "establish and maintain a comprehensive information security program" to be audited every other year for the next decade.
In its defense, Twitter general counsel Alexander Macgillivray wrote that Twitter only employed under 50 people at the time of the attacks, despite already being incredibly popular, and said only 55 of its millions of accounts were compromised. In addition, the company posted on its blog shortly after each attack, explaining what had happened. He wrote, "Even before [today's] agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."
The FTC says Twitter had to make the following changes to earn a clean bill of health security-wise:
See Also:
- FTC: Identity Theft Is No. 1 Consumer Complaint
- With FTC's Blessing, Google and Apple Poised to Dominate Mobile
- Weak Password Brings 'Happiness' to Twitter Hacker
- Twitter Hacked by 'Iranian Cyber Army'?
- Internal Twitter Credentials Used in DNS Hack, Redirect
- Britney, Obama Twitter Feeds Hijacked Following Phishing Attack
- Newspaper Twitter Feed Hacked
- Twitter Working to Thwart China, Iran Censors
