Micro-blogging service Twitter has settled charges brought against it by the Federal Trade Commission that it violated its users privacy and effectively engaged in customer deception due to a security lapses that enabled attackers to access accounts, send phony tweets, and get “administrative control” of Twitter.
The charges stem from incidents in the first half of 2009 in which attackers where able to gain access to Twitter’s internal operations using a dictionary-based password-guessing tool…and it found a very weak administrative password. The administrative password gave attackers access to private user information, including direct messages and private tweets sent between users. They were also able to reset any Twitter user’s password and sent forged tweets that appeared to be from any arbitrary account. The attackers forged tweets from many users, including President Barak Obama (he was president-elect, at the time: the fraudulent tweet promised free gasoline) as well as Fox News.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” said FTC Consumer Protection Bureau director David Vladeck, in a statement. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”
Twitter says the incidents “impacted a small number of users,” and the security holes were quickly closed, with Twitter notifying impacted account holders and posting blog items about the incidents.
Twitter is not paying any penalties under the settlement. However, the service will be required to have employees use strong administrative passwords, prohibit employees from storing passwords as plain text, suspend administrative passwords after a “reasonable” number of unsuccessful login attempts, and place a series of other restrictions on access to administrative accounts and employees who have access to them. Twitter is also barred from misleading consumers about security and privacy issues for 20 years—if they’re found to violate that, each violation could cost the company $16,000.