Twitter Inc., the microblogging service with about 190 million visitors per month, agreed to settle a U.S. government complaint that security lapses allowed hackers to view private messages and send “tweets” from other people’s accounts.
Failures in the company’s data security allowed hackers to gain administrative control of Twitter, the Federal Trade Commission said in a statement today announcing its complaint and settlement. One hacker sent a bogus tweet in January 2009 from the account of then-President-elect Barack Obama offering his followers a chance to win $500 in free gasoline.
San Francisco-based Twitter, which is closely held, allows users to send tweets, or messages of up to 140 characters. Privacy settings allow users to designate some tweets as private.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection, in the statement. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”
Twitter won’t be fined under the settlement. The company will be barred for 20 years from misleading consumers about the extent to which it protects private information. The company also has to maintain a “comprehensive information security program,” according to the settlement.
The company said in a blog posting that the attacks on the site resulted in 45 accounts being accessed in January 2009 and 10 in April last year. The company said it moved quickly to address the security issues then.
“Even before the agreement, we’d implemented many of the FTC’s suggestions and the agreement formalizes our commitment to those security practices,” the company said in the blog posting.
In a separate e-mail statement, Twitter said it was better to put the 11-month inquiry “behind us” than to fight the FTC.
Aside from the bogus Obama tweet, unauthorized messages were sent from eight other accounts, including one belonging to Fox News, according to the FTC complaint.
In January 2009, a hacker used an automated tool to determine a Twitter employee’s administrative password after submitting thousands of guesses on Twitter’s public Web page. The password was a “weak, lowercase, letter-only, common dictionary word,” according to the complaint.
The password allowed the hacker to access private user information and send bogus tweets for any user, according to the complaint. The hacker reset user passwords, some of which the hacker posted online. Reset passwords were used by other intruders to send unauthorized tweets.
In April 2009, a hacker gained access to a Twitter employee’s personal e-mail and was able to infer the employee’s Twitter administrative password, according to the complaint. The hacker reset at least one user’s password, according to the FTC.
According to the FTC’s complaint, Twitter was vulnerable to hackers’ attacks because it failed to take “reasonable steps” to prevent unauthorized administrative control of its system, the commission statement said.
The agreement with Twitter is subject to public comment for 30 days. The commission then will decide whether to make it final, according to the statement.