The US Federal Trade Commission (FTC) and Twitter have reached an agreement over charges that the latter entity failed to protect users from security breaches which allowed hackers to access a number of accounts.
According to the FTC’s complaint, between January and May 2009, hackers who seized administrative control of Twitter were able to view nonpublic user information, gain access to direct messages and protected tweets, reset passwords and send authorized tweets from any user account.
For example, in January 2009, a hacker exploited an automated password-guessing tool to win administrative control of Twitter, after submitting thousands of guesses.
The hacker then reset numerous user passwords and posted some of them on a website. Using these fraudulently reset passwords, additional individuals sent phony tweets from approximately nine user accounts.
One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline.
At least one other phony tweet was sent from the account of Fox News.
Under the terms of the above-mentioned settlement, Twitter will be barred for 20 years from misleading users about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic information.
In addition, the settlement requires Twitter to establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for a decade.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” explained FTC spokesperson David Vladeck.
“Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”