Twitter has agreed to settle Federal Trade Commission (FTC) charges that it deceived consumers and put their privacy at risk by failing to safeguard personal information.
In the first such case against a social networking service, the FTC accused Twitter of "serious lapses" in its data security, allowing hackers to obtain administrative control of the system.
This enabled the hackers to access non-public user information, tweets that had been designated private, and send out phony messages from any account, including then-President-elect Barack Obama.
Last January a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into the microblogging site's login page. The password was a weak, lowercase, common dictionary word, says the FTC.
The hacker reset several passwords, and posted some of them on a Web site. Other intruders then used this information to send phony tweets, one from the account of Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline.
In April another attack saw a different hacker guess the administrative password of a Twitter employee after compromising their personal e-mail account where two similar passwords were stored in plain text.
Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. It is also required to establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.
David Vladeck, director, bureau of consumer protection, FTC, says: "Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."
In a blog post, Twitter adds: "Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalises our commitment to those security practices."