Twitter and the FTC came to a settlement this week after a lengthy investigation by the Federal Trade Commission into Twitter’s past lax security practices. The security concerns in question arose from a number of security breaches at Twitter where users’ accounts were gained access to and in some cases abused.
Hack number one occurred in January 2009 which compromised the accounts of a number of high profile users, including those of Barack Obama, Britney Spears and the Huffington Post. This particular hacker gained access to the accounts by using machine code that repeatedly tried random password combinations, eventually gaining access. The hacker then proceeded with sending an unauthorized tweet from Barack Obama’s accounts offering a competition that will earn winners $500 in free gasoline.
In the second case a hacker gained access to the administrative account of a Twitter employee by hacking into the employee’s private email account and reading a message that contained the administrator password in plain view.
The FTC accused Twitter of missing some obvious security holes: for one, Twitter should have had a mechanism barring a user from logging in if too many failed login attempts are made and secondly should have prohibited employees from storing passwords and other company data in private email accounts.
Twitter says that at that point in time it was still a small company and less aware of how popular the service was going to get and that all security issues that investigated had subsequently been fixed. Nonetheless the FTC ruled, stipulating that the company is ‘not to mislead consumers about privacy issues’ over the next 20 years, needs to do an independent analysis of its security measures once a year and that the company will be fined $16,000 for every security breach.
Whereas before the FTC had no way of punishing Twitter in case of a security breach, it now has some teeth in terms of what it can do. Twitter, of course, believes that won’t be necessary.