Early in 2009, when Twitter employed less than 50 people, we faced two different security incidents that impacted a small number of users. Put simply, we were the victim of an attack and user accounts were improperly accessed. There were 45 accounts accessed in a January incident and 10 that April for short periods of time. In the first incident, unauthorized joke tweets were made from nine accounts and attackers may have accessed nonpublic information such as email addresses and mobile phone numbers. In the second, nonpublic information was accessible and at least one user’s password was reset.
Within hours of the January breach, we closed the security hole and notified affected account holders. We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users. We also posted this blog item about the incident within a few days of first learning about it.
Why are we bringing up these incidents from 18 and 14 months ago that we already told people about? Because the United States Federal Trade Commission (FTC) launched an inquiry into our security practices related to these attacks and today announced that we’ve reached an agreement that resolves their concerns. Even before the agreement, we’d implemented many of the FTC’s suggestions and the agreement formalizes our commitment to those security practices.