Twitter admitted it had numerous security issues that led to multiple breaches of its systems. According to the FTC complaint, between January and May 2009, hackers who gained administrative control of Twitter were able to view nonpublic user information, gain access to direct messages and protected tweets and reset any user’s password and send authorized tweets from any user account.
Twitter has settled with the Federal Trade Commission on charges that it deceived consumers and put their privacy at risk. The social networking service has agreed to periodic third-party reviews of its security program over the next decade.
The FTC charged that Twitter had serious lapses in its data security allowing hackers to gain access to Twitter’s systems. Twitter failed to require employees to use strong administrative passwords, it didn’t prohibit employees from storing admin passwords in plain text in their email accounts and it failed to disable administrative accounts after a reasonable number of unsuccessful login attempts.
The administrative password used by the hackers to gain access to the inner-workings of the service was a weak, lower case, common dictionary word, the FTC said. The Twitter administrative login webpage was not separate from the login page for users. Twitter also didn’t enforce periodic changes to administrative passwords.
n a blog post, Twitter general counsel Alexander Macgillivray said Twitter has already taken precautions, closing the security hole that led to the two security incidents. The agreement resolves the FTC’s concerns and formalizes Twitter’s commitment to the security practices it put in place, Macgillivray wrote.