Twitter disclosed that passwords for over 330 million users worldwide were stored in an unsecured format. The company explained that the vulnerability occurred because of an internal software glitch.
According to Twitter, the software issue has been corrected and an internal investigation found nothing to indicate that the passwords or any other nonpublic user information were breached or misused. In an online post titled "Keeping your account secure," Twitter Chief Technology Officer Parag Agrawal notified the public about the issue and encouraged users to change their passwords "[o]ut of an abundance of caution."
In 2011, Twitter settled charges with the Federal Trade Commission ("FTC") that its inadequate system controls left accounts vulnerable to unauthorized access by hackers to nonpublic user information such as passwords, telephone numbers and email addresses. The settlement concerned a hacking incident during a six-month period in 2009. Hackers allegedly used weaknesses in Twitter's password policies and website access points to hijack several accounts. At the time, the FTC alleged that Twitter had engaged in deceptive acts or practices affecting commerce in violation of the Federal Trade Commission Act Section 5(a). Twitter's settlement with the FTC resulting from that breach required, among other things, the implementation of a comprehensive information security program subject to biennial assessments by an independent third-party professional for a period of ten years.