Friday, August 28, 2015

What the Twits at Twitter forgot

Hackers breached Twitter's remarkably weak security at least twice early last year, thanks to two easy-to-avoid mistakes. In a settlement with the FTC, Twitter has agreed to have a third party assess its security every two years for the next decade.

What the Twits at Twitter forgot


If you've ever blown off warnings about the importance of computer-password security, the Federal Trade Commission's settlement today with Twitter is a great reminder of what's at stake. That's especially true if you're dealing with sensitive personal or financial information, or are responsible - as these Twits at Twitter were - for other people's privacy and security.

The FTC says Twitter employees made two easy-to-avoid mistakes that led to breaches by hackers, in January and April 2009.

In the first case, an administrative password was a "lower case, common dictionary word," easily guessable with software the FTC calls an "automated password-guessing tool." The breach had predictable results, and also illustrated Twitter's odd role as an intermediary between high-profile users, such as celebrities and politicians, and the rest of us mere mortals:

Using the password, the hacker reset numerous user passwords and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News.

Three months later, a hacker struck again, accessing a Twitter employee's personal e-mail account "where two passwords similar to the employee’s Twitter administrative password were stored, in plain text," the FTC says.  From there, it was easy enough to guess the staffer's administrative password. The hacker used that to "reset at least one Twitter user’s password, and could access private user information and tweets for any Twitter users."

I'm sure you've seen advice like this before, but this list itemizing Twitter's specific failures bears repeating because of its importance to all computer and Internet users.  The FTC says Twitter made itself vulnerable "because it failed to take reasonable steps to prevent unauthorized administrative control of its system."  Its complaint says those included:

  • requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
  • prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
  • suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
  • providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
  • enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
  • restricting access to administrative controls to employees whose jobs required it; and
  • imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Of course, the most important point here is that it's bad enough to be lax if you're just taking risks with your own personal accounts or data. It's inexcusable if you've built a business around managing people's personal information, which is what social networking companies do.

Click here to see the FTC's proposed agreement with Twitter - including the FTC's acknowledgment that the deal "does not constitute an admission ... that the law has been violated as alleged in the draft complaint," or even that the facts it alleges are true. (Want to see what the FTC alleged in that complant? Click here.)

In response to my request for comment, Twitter referred me to a post on its corporate blog by its general counsel, Alexander Macgillivray, which said Twitter has already "implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."  Basically, the company says this is old news that it acknowledged and dealt with last year when it was little and just learning:

Early in 2009, when Twitter employed less than 50 people, we faced two different security incidents that impacted a small number of users. Put simply, we were the victim of an attack and user accounts were improperly accessed. There were 45 accounts accessed in a January incident and 10 that April for short periods of time. In the first incident, unauthorized joke tweets were made from nine accounts and attackers may have accessed nonpublic information such as email addresses and mobile phone numbers. In the second, nonpublic information was accessible and at least one user’s password was reset.

The deal is open for public comment for the next 30 days. If you want to weigh in - even in more than 140 characters - click here:  

So far, there's no indication you can comment by tweeting.


Inquirer Business Columnist
We encourage respectful comments but reserve the right to delete anything that doesn't contribute to an engaging dialogue.
Help us moderate this thread by flagging comments that violate our guidelines.

Comment policy: comments are intended to be civil, friendly conversations. Please treat other participants with respect and in a way that you would want to be treated. You are responsible for what you say. And please, stay on topic. If you see an objectionable post, please report it to us using the "Report Abuse" option.

Please note that comments are monitored by staff. We reserve the right at all times to remove any information or materials that are unlawful, threatening, abusive, libelous, defamatory, obscene, vulgar, pornographic, profane, indecent or otherwise objectionable. Personal attacks, especially on other participants, are not permitted. We reserve the right to permanently block any user who violates these terms and conditions.

Additionally comments that are long, have multiple paragraph breaks, include code, or include hyperlinks may not be posted.

Read 0 comments
comments powered by Disqus
About this blog

Jeff Gelles, who writes the Inquirer's weekly Consumer 14.0 and Tech Life columns, takes a broad look at the marketplace of goods, services, and ideas.

Reach Jeff at

Jeff Gelles Inquirer Business Columnist
Also on
letter icon Newsletter