UPDATED The U.S. Federal Trade Commission said today it’s settled with Twitter over security lapses last year that led to hackers accessing accounts on the service including that of President Barack Obama. At this point many people may have forgotten about the events (and are probably too busy complaining about recent Twitter outages), but in January 2009 a French hacker was able to guess a Twitter administrative password that was “a weak, lower case, common dictionary word” that other people then used to send fake tweets from user accounts including Obama’s as well as those of Britney Spears and Fox News. In a similar April 2009 attack, user information was exposed and at least one user password was changed.
The terms of the settlement seem to be a slap on the wrist and a strong scolding. The FTC is still finalizing the agreement but it includes a 20-year ban on Twitter “misleading” consumers about how it handles their information and requires the company to create a “comprehensive information security program.”
While the FTC is out trumpeting its cause to make companies more accountable when it comes to protecting user information, Twitter the company was deeply embarrassed by a similar security lapse last summer, when many key internal documents were posted online after one of the same hackers gained access to an employee’s email account.
Update: In a blog post about the settlement, Twitter downplayed the significance of the two incidents, said it has ramped up its security efforts in the last year, and explained it decided to settle with the FTC in order to move on.
We felt it was important to put the 11-month inquiry behind us. We also recognize that Twitter is a different company than we were in 2009. At the time of the incidents, we were a 22-person a 40-person start-up, respectively; were in the midst of perhaps unprecedented user growth for an Internet company; and, didn’t employ the security methods that we use today.
Related content from GigaOM Pro (sub req’d):