Twitter settled charges with the Federal Trade Commission that it “deceived consumers” and didn’t protect their privacy, according to the agency today. The violated users included singer Britney Spears, President Barack Obama, and the account of the Fox News channel. It’s the FTC’s first data security case against a social network, suggesting that the agency may be looking to get tougher on consumer Web companies.

The charges stem from a case early last year, when hackers broke into the social network and gained administrative control:

“In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter’s login webpage. The administrative password was a weak, lower case, common dictionary word. Using the password, the hacker reset numerous user passwords and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News.

During a second security breach, in April 2009, a hacker compromised a Twitter employee’s personal e-mail account where two passwords similar to the employee’s Twitter administrative password were stored, in plain text. Using this information, the hacker was able to guess the employee’s Twitter administrative password. The hacker reset at least one Twitter user’s password, and could access private user information and tweets for any Twitter users.”

The agency said there was a number of very basic things the company could have done to prevent this including have hard-to-guess passwords, a separate administrative log-in page and password changes every 90 days.

The agency said Twitter must now offer a “comprehensive information security program” to be evaluated by a third party every other year for 10 years.

Twitter said that it caught both security breaches within hours or minutes of the attacks and said that it had already made many of the FTC’s requested changes.

“Even before the agreement, we’d implemented many of the FTC’s suggestions and the agreement formalizes our commitment to those security practices,” wrote the company’s general counsel Alexander Macgillivray in a blog post.

VentureBeat

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member