The US Federal Trade Commission faulted fast-growing messaging company Twitter on Thursday for lax internal security procedures that allowed hackers to post fake statements from the accounts of president Barack Obama and others.
The FTC found that the website misled consumers by claiming that their data were protected.
Twitter didn’t follow such basic precautions as restricting administrative access to certain computers, prohibiting easy-to-guess passwords for employees with administrative powers, or setting the passwords to expire after 90 days, the consumer protection arm of the agency said.
The FTC filed a formal complaint about the company at the same time that it announced a settlement that calls for recurring outside audits of its security practices. Twitter said it had already made many of the changes called for in the new agreement.
“When a company promises consumers that their personal information is secure, it must live up to that promise,” David Vladeck, director of the FTC’s Bureau of Consumer Protection, said in disclosing the developments.
While most US companies are not covered by federal laws on privacy, the FTC has used boilerplate website assurances such as those at Twitter to go after companies that have lost customer information to hackers making minimal effort.
The FTC pointed out that the Twitter case was its first move on data protection against a company in the powerful wave of websites that exist to spread personal information through social networking or other means.
More serious complaints have gone to the agency about Facebook, which was accused by privacy advocates of deliberately confusing users and disseminating information the individuals thought were restricted in a quest for greater profit. Facebook has denied the claim and introduced simplified controls for users.
Twitter, though, got nothing but embarrassment from its missteps.
According to the documents released on Thursday, in January of last year a hacker used an automated password-guessing tool to crack the management account of a Twitter employee, who used a common dictionary word in lower case with no numbers or special characters. Many companies lock down employee accounts after a set number of login tries, but Twitter did not.
The intruder then used that access to reset passwords on regular accounts, including Mr Obama’s, and posted the new passwords on the web. Other people then used those passwords to send phoney messages from Mr Obama’s account and eight others, including one belonging to Fox News.