Twitter will establish an independently audited information-security program as part of an agreement with the Federal Trade Commission to settle an inquiry into the social-networking giant's protection of user data.
The investigation was launched in early 2009 when the young company was hit by two security breaches that, it said, impacted only a small number of users. In January 2009, 45 accounts were hacked, with joke tweets posted from an outside source. One of the victims was CNN host Rick Sanchez, whose followers learned that he was supposedly "high on crack right now and may not be coming in to work."
Fake Tweets From Obama, Sanchez
Tweets supposedly from President Barack Obama and Fox News were also sent by the hackers. In April 2009, another 10 accounts were accessed, data compromised, and, according to Twitter, at least one user's password was reset.
The FTC announced Thursday that Twitter "has agreed to settle charges ... that it deceived consumers and put their privacy at risk by failing to safeguard their personal information." The agency said it was the 30th time it had targeted faulty data security, but the first such case against a social-networking service.
The hackers were able to gain control of Twitter via an automated password-guessing system because of security lapses, the FTC said.
"When a company promises consumers that their personal information is secure, it must live up to that promise," said David Vladeck, director of the FTC's Bureau of Consumer Protection. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social-networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."
On its blog on Thursday, Twitter, which noted that the incidents took place when it only had 50 employees, insisted it had acted promptly to end the threat.
"Within hours of the January breach, we closed the security hole and notified affected account holders. We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users." (continued...)