NEW YORK (CNNMoney.com) -- Twitter agreed to settle charges that it "deceived customers" and failed to protect their personal information, the Federal Trade Commission said Thursday.
The FTC's complaint against Twitter said "serious lapses" in the service's data security allowed hackers to obtain administrative control of the site multiple times between January and May 2009.
The FTC has brought charges against companies 30 times over faulty data security, but this marked the first such case against a social network.
In January 2009, a hacker used an automated password-guessing tool to submit thousands attempts at Twitter's login page. The hacker eventually obtained the site's administrative password, which was "a weak, lowercase, common dictionary word."
Hackers were then able to access tweets that users had set to private. They also sent fake tweets from nine accounts, including those of President Obama and Fox News.
During a second security breach in April 2009, a hacker was able to access a Twitter employee's personal e-mail account and found two passwords similar to the employee's Twitter administrative password. The hacker was able to use those passwords to guess the employee's Twitter password.
"Put simply, we were the victim of an attack and user accounts were improperly accessed," Alexander Macgillivray, Twitter's general counsel, said in a prepared statement.
Macgillivray said that within hours of the January breach, Twitter closed the security hole, notified affected account holders and posted a statement on its blog post. After the April breach, Twitter cut off the hacker's administrative access within 18 minutes and "quickly notified affected users."
The FTC said Twitter was vulnerable to these attacks because it "failed to take reasonable steps to prevent unauthorized control of its system," including requiring employees to use a hard-to-guess password and suspending administrative accounts after several unsuccessful login attempts.
Under the terms of the settlement, Twitter "will be barred for 20 years from misleading consumers" about its protection of private data. The company will also have to maintain an information security program that a third-party observer will assess every other year for 10 years.
"When a company promises consumers that their personal information is secure, it must live up to that promise," David Vladeck, director of the FTC's Bureau of Consumer Protection, said in a statement.
"Consumers who use social networking sites may choose to share some information with others," Vladeck added, "but they still have a right to expect that their personal information will be kept private and secure."
Twitter has suffered through other embarrassing glitches. In May, thousands of people took advantage of a vulnerability that let users "force" others to become their followers. Twitter quickly patched the glitch, but it had to temporarily take down its "follow" counts to do it.
The FTC smackdown comes at the end of a stretch in which Twitter has been battling its most publicized growing pains to date.
Hammered by World Cup traffic and battling issues with its network infrastructure, Twitter has suffered serious downtime almost every day this month. On Thursday, the site had several of its automated feeds disabled as it worked on stability issues.
A court-appointed administrator announced the distribution Friday of $76 million to roughly 27,500 U.S. customers of now-defunct Full Tilt Poker. More
What we commonly call the Web is really just the surface. Beneath that is a vast, mostly uncharted ocean called the Deep Web. More
Sanjiv Patel has invested over $1 million in his peanut company under a program that grants green cards to investors, but he may get kicked out of the country if he doesn't hire eight more people. More
As free checking disappears from the nation's biggest banks, the accounts remain alive and well at credit unions. More