Earlier this year the Federal Trade Commission (FTC) settled a case with Twitter regarding, in the opinion of the FTC, lax electronic administration of Twitter's website. This case provides insight into what is required in privacy policies and what administrative controls are required.

Twitter Was Hacked

The FTC initiated proceedings against Twitter based on the actions in 2009 of two hackers who took control of the administrative processes of Twitter, which resulted in access to private personal information of users and the ability to create tweets under another person’s user name. (See The New York Times' account of the breach at "Twitter Settles F.T.C. Privacy Case.") The FTC charged Twitter with lax administrative controls for date security. The hackers were able to gain access through an automated password-guessing tool that found an administrative password that was a common dictionary word. From there, the hacker was able to use the password to reset passwords for users and gain access to personal accounts. Another hacker was able to gain access to the personal email account of an employee of Twitter. The employee had stored administrative passwords in that personal email account, which allowed the hacker to gain access to Twitter’s administrative controls.

Source: Practical eCommerce, October 18, 2010, by Jeff Jacobson, JD, LLM

Read the full article at: http://www.practicalecommerce.com/articles/2321-Legal-Privacy-Lessons-from-the-Twitter-Breach-