The FTC said that Twitter was guilty of “serious lapses in the company’s data security,” after hackers twice broke into Twitter administrative consoles by figuring out the passwords of Twitter staffers in early 2009. They then used that access to read private messages and send out fake Twitter messages using a number of high-profile Twitter accounts, including Obama’s and those of Britney Spears and Fox News.
Twitter misled consumers by saying that it was taking appropriate security measures to protect their privacy, the FTC said.
In June 2010, Twitter and the FTC reached a tentative settlement in the matter, and that was finalized by the FTC on Friday. The FTC’s five commissioners voted unanimously to accept the settlement.
Twitter now faces fines if it misleads consumers about its security and privacy protections, and it must set up a “comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years,” the FTC said.
In a blog post last June, Twitter said that it had already implemented many of the security practices suggested by the FTC.
Observers say that Twitter security has improved since the 2009 attacks, but there are still some problems. Last week actor Ashton Kutcher had his Twitter account briefly taken over, apparently after he exposed his log-in credentials over an unsecured wireless network at the TED conference. That type of attack could be eliminated if Twitter forced users to connect over a secure Web connection.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com