Skip the navigation
News

Twitter settles FTC privacy complaint

By Grant Gross
June 24, 2010 11:56 AM ET

IDG News Service - Social-networking giant Twitter has agreed to settle a complaint from the U.S. Federal Trade Commission alleging that the company deceived users and put their privacy at risk by failing to take appropriate security safeguards.

Twitter used lax security measures to protect user personal information, resulting in hackers gaining administrative control of the service, the FTC said in a complaint made public Thursday. Hackers were able, on two occasions in early 2009, to gain access to Twitter messages, called tweets, that users had designated as private, and they were able to send out phony tweets pretending to be from U.S. President Barack Obama, Fox News and other organizations, the FTC said.

Despite a privacy policy saying that Twitter took several measures to protect user privacy, the social-networking site failed to create or enforce several common security policies, the FTC said in its complaint. Twitter did not create or enforce a policy against easy-to-guess administrative passwords, and did not create or enforce policies prohibiting the storage of administrative passwords in plain text in personal e-mail accounts.

Twitter also failed to suspend or disable administrative passwords after a reasonable number of unsuccessful log-in attempts, failed to implement a password expiration policy and failed to restrict administrative controls to only employees that needed access, the FTC said.

"Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information," said the company's privacy policy. "We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access."

Twitter general counsel Alexander Macgillivray, in a blog post, said the company has already implemented many of the security changes recommended by the FTC. The two incidents that the FTC focused on happened when Twitter employed fewer than 50 people, and a total of 55 users accounts were accessed, he said.

"Put simply, we were the victim of an attack and user accounts were improperly accessed," he wrote. "Within hours of the January breach, we closed the security hole and notified affected account holders. We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users. We also posted this blog item about the incident within a few days of first learning about it."

The FTC's complaint described the two attacks. In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter's log-in page, the FTC said. The administrative password was a common dictionary word, the agency said in a press release.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Blog Spotlight
Sharky

Staff member at a senior center calls this pilot fish, complaining that her printer won't work. And since she's the kind of user who thinks computers just get in the way of getting her job done, fish has his work cut out for him.

Sharky
Sharky