The FTC brought charges against Twitter last year on grounds that lapses in the company’s data security allowed hackers to gain unauthorised administration control of Twitter.
Under the terms of the settlement, Twitter will be barred for 20 years from misleading customers about the extent to which it protects the security and privacy of users. Twitter will now have to establish an information security programme that will be assessed by an independent auditor every other year for ten years.
In January 2009 a hacker was able to guess Twitter’s administrative ‘weak’ password allowing them to reset several passwords. The hacker then posted some of them on a website which allowed other people to access them.
One tweet was sent from the account of then-President-elect Barack Obama, offering his 150,000-plus followers a chance to win $500 in free gasoline. One bogus tweet was sent from the account of News Corporation-owned Fox News.
During a second security breach in April 2009, a hacker was able to guess the administrative password of a Twitter employee, allowing them to reset at least one Twitter user’s password.
The FTC stated Twitter was vulnerable to these attacks because it failed to take reasonable steps to require employees to use hard-to-guess administrative passwords, disable administrative passwords after a reasonable number of unsuccessful log-in attempts and enforce periodic changes of administrative passwords.
David Vladeck from the FTC’s bureau of consumer protection said: "When a company promises consumers that their personal information is secure, it must live up to that promise.
"Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."
A statement on Twitter’s blog said: "Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalises our commitment to those security practices."