Twitter settles with FTC over celebrity hacking incidents

by @gordonmacmillan, posted on 25 June, 2010 at 9:18 am, filed under Social Media, Social Networking and tagged , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post.

Twitter has settled with the Federal Trade Commission over charges that it deceived consumers by allowing hackers to take control over a small number of accounts including that of Barrack Obama due to a security loop hole.

The two incidents in early 2009 saw hackers take control of and send fake messages from around 60 accounts including then then-President-elect Obama, Fox News, Tyler Perry, Shaquille O’Neal and Dave Matthews.

The attacks took place at a time when Twitter employed less than 50 people (it employs around 200 now) and it faced two separate security incidents.  You forget what a tiny company it was — but with such a global reach.

In the first incident, 45 accounts were accessed in January 2009 and a further 10 in April. Each time it happen it was for short periods of time.

For Twitter and those accounts hacked the most damaging part of the attack was that as well as being able to send fake tweets it also enabled hackers to access “non public” information such as email addresses, mobile phone numbers and reset at least one user’s password.

According to Alexander Macgillivray (@macgill) Twitter general: “Within hours of the January breach, we closed the security hole and notified affected account holders. We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users. We also posted this blog item about the incident within a few days of first learning about it.”

Under the settlement with the FTC, Twitter has agreed to set up a security programme that will be assessed by a third party. It will also be prohibited from misleading consumers about the extent to which it protects “nonpublic consumer information”.

Macgillivray said that Twitter had already implemented most of the changes that the FTC agreement cites

“Why are we bringing up these incidents from 18 and 14 months ago that we already told people about? Because the United States Federal Trade Commission (FTC) launched an inquiry into our security practices related to these attacks and today announced that we’ve reached an agreement that resolves their concerns. Even before the agreement, we’d implemented many of the FTC’s suggestions and the agreement formalizes our commitment to those security practices,” Macgillivray said.