FTC warns Twitter over weak, easily-guessable admin passwords

Twitter gets wrist slapped by FTC over weak and easily-guessable admin passwords which caused some user accounts to be hacked
Twitter gets wrist slapped by FTC over weak and easily-guessable admin passwords which caused some user accounts to be hacked

Twitter has notched up the questionable honour of being the first social networking site to be reprimanded by the US Federal Trade Commission (FTC).

The FTC warning followed a number of successful hacking attacks in early 2009, when a total of 33 accounts were hacked using Twitter's own internal support tools. Most notably, one of those accounts belonged to US President Barack Obama.

This is "the agency's first such case against a social networking site" over flawed data protection, with the hackers able to view private information and direct messages, send tweets from hacked accounts and reset user's passwords.

Weak, easily-guessable passwords

Referring to an attack in January 2009, the FTC noted that: "a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter's login webpage. The administrative password was a weak, lower case, common dictionary word.

"Using the password, the hacker reset numerous user passwords and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News."

And then in May 2009, the FTC notes: "During a second security breach, in April 2009, a hacker compromised a Twitter employee's personal e-mail account where two passwords similar to the employee's Twitter administrative password were stored, in plain text.

"Using this information, the hacker was able to guess the employee's Twitter administrative password. The hacker reset at least one Twitter user's password, and could access private user information and tweets for any Twitter users."

Adam Hartley