What the Twits at Twitter forgot

If you've ever blown off warnings about the importance of computer-password security, the Federal Trade Commission's settlement today with Twitter is a great reminder of what's at stake. That's especially true if you're dealing with sensitive personal or financial information, or are responsible - as these Twits at Twitter were - for other people's privacy and security.

The FTC says Twitter employees made two easy-to-avoid mistakes that led to breaches by hackers, in January and April 2009.

In the first case, an administrative password was a "lower case, common dictionary word," easily guessable with software the FTC calls an "automated password-guessing tool." The breach had predictable results, and also illustrated Twitter's odd role as an intermediary between high-profile users, such as celebrities and politicians, and the rest of us mere mortals:

Using the password, the hacker reset numerous user passwords and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News.

Three months later, a hacker struck again, accessing a Twitter employee's personal e-mail account "where two passwords similar to the employee’s Twitter administrative password were stored, in plain text," the FTC says.  From there, it was easy enough to guess the staffer's administrative password. The hacker used that to "reset at least one Twitter user’s password, and could access private user information and tweets for any Twitter users."

I'm sure you've seen advice like this before, but this list itemizing Twitter's specific failures bears repeating because of its importance to all computer and Internet users.  The FTC says Twitter made itself vulnerable "because it failed to take reasonable steps to prevent unauthorized administrative control of its system."  Its complaint says those included:

  • requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
  • prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
  • suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
  • providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
  • enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
  • restricting access to administrative controls to employees whose jobs required it; and
  • imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Of course, the most important point here is that it's bad enough to be lax if you're just taking risks with your own personal accounts or data. It's inexcusable if you've built a business around managing people's personal information, which is what social networking companies do.

Click here to see the FTC's proposed agreement with Twitter - including the FTC's acknowledgment that the deal "does not constitute an admission ... that the law has been violated as alleged in the draft complaint," or even that the facts it alleges are true. (Want to see what the FTC alleged in that complant? Click here.)

In response to my request for comment, Twitter referred me to a post on its corporate blog by its general counsel, Alexander Macgillivray, which said Twitter has already "implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."  Basically, the company says this is old news that it acknowledged and dealt with last year when it was little and just learning:

Early in 2009, when Twitter employed less than 50 people, we faced two different security incidents that impacted a small number of users. Put simply, we were the victim of an attack and user accounts were improperly accessed. There were 45 accounts accessed in a January incident and 10 that April for short periods of time. In the first incident, unauthorized joke tweets were made from nine accounts and attackers may have accessed nonpublic information such as email addresses and mobile phone numbers. In the second, nonpublic information was accessible and at least one user’s password was reset.

The deal is open for public comment for the next 30 days. If you want to weigh in - even in more than 140 characters - click here:  

So far, there's no indication you can comment by tweeting.