Last week, Twitter was subject to a major hacking incident where the hackers gained control of multiple high profile accounts and tweeted out a cryptocurrency scam.
This 2020 Twitter hack shares many parallels with two 2009 Twitter breaches which ultimately led to the Federal Trade Commission (FTC) charging and accepting a settlement from Twitter for failure to safeguard personal information.
Like with these 2020 hacks, the 2009 breaches involved hackers gaining access to Twitter's administrative tools, taking over high profile accounts, and using some of these accounts to tweet out phony offers.
2009 Twitter hacks
Hackers gained access to Twitter employee's administrative accounts in two separate 2009 incidents and used this access to reset passwords and send unauthorized tweets.
The first hack occurred in January 2009 and involved a hacker using an automated password-guessing tool to get a Twitter employee's administrative password.
According to the FTC, the hacker used this tool to submit thousands of guesses on Twitter's public login page and ultimately obtained the Twitter employee's administrative password which was a weak, lowercase, letter-only, common dictionary word.
The FTC wrote that once the hacker had access to this Twitter employee's administrative account, they could access non-public user information and tweets for any Twitter user and used their administrative access to reset some user's passwords and post some of these passwords to a website.
Some of these passwords were then used by other hackers to send unauthorized tweets from user accounts including one tweet from the account of then-President-elect Barack Obama.
The second hack occurred in April 2009 and involved a hacker compromising an employee's personal email account and then being able to “infer the employee's Twitter administrative password, based on two similar passwords, which had been stored in the account, in plain text, for at least six (6) months prior to the attack,” according to the FTC.
The FTC claims that this hacker could access non-public user information and tweets for any Twitter users and that they reset at least one user's password.
FTC charges and settlement
In 2010, the FTC filed charges against Twitter over these two hacking incidents and accused the company of deceiving consumers and putting their privacy at risk by failing to safeguard their personal information.
The FTC wrote at the time that the charges marked “the agency's first such case against a social networking service.”
In its complaint, the FTC wrote that Twitter “granted almost all of its employees the ability to exercise administrative control of the Twitter system” between July 2006 and July 2009 which included the ability to “reset a user's account password, view a user's nonpublic tweets and other nonpublic user information, and send tweets on behalf of a user.”
The FTC added that Twitter had its employees use the public Twitter login page to access administrative accounts between July 2006 and January 2009 and that Twitter instructed employees to use a personal email account for company business between July 2006 and July 2008 (which was displayed in the email header of employee's Twitter profiles in many instances.)
These practices included failing to restrict employee's access to administrative controls according to the needs of their job, failing to impose reasonable restrictions on administrative access (such as by restricting access to specified IP addresses), failing to make administrative passwords hard to guess, failing to enforce policies that prohibit storage of administrative passwords in plain text in personal email accounts, failing to suspend administrative passwords after “a reasonable number of unsuccessful login attempts,” and failing to provide an administrative login webpage that is only known to authorized users.
Twitter settled these charges in June 2010 and the FTC accepted the final settlement with Twitter in March 2011.
Under the terms of the settlement, Twitter was “barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”
Twitter was also required to establish and maintain a comprehensive information security program that would be assessed by an independent auditor every other year for 10 years.
Parallels between the levels of employee access
The FTC claimed that almost all of Twitter's employees could access Twitter's administrative tools during the 2009 hacks and that these tools could have been used to take over user accounts, reset passwords, and send tweets on behalf of users.
In the wake of the 2020 hacks, two former Twitter employees have claimed that more than 1,000 employees had access to internal Twitter tools that could change user account settings and give control of accounts to others, as of earlier this year.
Parallels between the size of the accounts that were hacked
During the 2009 hacks, several high profile accounts were hacked including the account of then-President-elect Barack Obama and Fox News.
In 2020, not only was the now-former President Obama hacked again but numerous other high profile accounts were taken over including those of presumptive Democratic presidential nominee Joe Biden, Tesla and SpaceX CEO Elon Musk, Amazon CEO Jeff Bezos, rapper Kanye West, and investor and philanthropist Bill Gates.
Parallels between the tweets that were sent
When Obama's account was compromised in 2009, one of the tweets sent by the hacker offered his followers a chance to win $500 in free gasoline in exchange for filling out a survey.
During the 2020 hack, the accounts of Obama and many of the others that were compromised tweeted out a cryptocurrency scam promising to double the bitcoin of anyone who sent bitcoin to a wallet controlled by the hackers.
Twitter could be fined for this 2020 hack under the terms of the original FTC settlement
Twitter is bound by the terms of the 2010 FTC settlement until June 2030.
The FTC doesn't have the authority to fine companies for misleading customers unless they're subject to an existing settlement.
In the wake of this 2020 hack, the FTC is now reportedly reviewing whether Twitter violated this 2010 settlement and it may face a large fine.
According to David Vladeck, a Georgetown University law professor who was director of the FTC's Bureau of Consumer Protection at the time of this 2010 settlement, the FTC could start a new investigation or bring a complaint against Twitter for violating the terms of its existing agreement.