Twitter disclosed that passwords for over 330 million users worldwide were stored in an unsecured format. The company explained that the vulnerability occurred because of an internal software glitch.
According to Twitter, the software issue has been corrected and an internal investigation found nothing to indicate that the passwords or any other nonpublic user information were breached or misused. In an online post titled "Keeping your account secure," Twitter Chief Technology Officer Parag Agrawal notified the public about the issue and encouraged users to change their passwords "[o]ut of an abundance of caution."
In 2011, Twitter settled charges with the Federal Trade Commission ("FTC") that its inadequate system controls left accounts vulnerable to unauthorized access by hackers to nonpublic user information such as passwords, telephone numbers and email addresses. The settlement concerned a hacking incident during a six-month period in 2009. Hackers allegedly used weaknesses in Twitter's password policies and website access points to hijack several accounts. At the time, the FTC alleged that Twitter had engaged in deceptive acts or practices affecting commerce in violation of the Federal Trade Commission Act Section 5(a). Twitter's settlement with the FTC resulting from that breach required, among other things, the implementation of a comprehensive information security program subject to biennial assessments by an independent third-party professional for a period of ten years.
Commentary / Alex Hokenson
Twitter's proactive approach to disclosure – even in the absence of an outright data breach – may signal a larger shift in behavior for technology companies seeking to avoid regulatory scrutiny and negative publicity. Following the recent issues surrounding companies' failure to timely disclose cyber breaches or compromises of user information at Yahoo and Facebook, the technology industry is facing increased criticism from lawmakers and privacy advocates, and the possibility of greater regulation. Twitter's disclosure decision is the prudent course, as data breaches and vulnerabilities can easily become public and delays in disclosure serve to increase the ire of lawmakers and the public.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.