Twitter messages are public but users can also send private messages. Twitter collects personally identifiable information about its users and shares it with third parties. The service reserves the right to sell this information as an asset if the company changes hands. While Twitter displays no advertising, advertisers can target users based on their history of tweets and may quote tweets in ads directed specifically to the user.
A security vulnerability was reported on April 7, 2007, by Nitesh Dhanjani and Rujith. Since Twitter used the phone number of the sender of an SMS message as authentication, malicious users could update someone else's status page by using SMS spoofing. The vulnerability could be used if the spoofer knew the phone number registered to their victim's account. Within a few weeks of this discovery Twitter introduced an optional personal identification number (PIN) that its users could use to authenticate their SMS-originating messages.
On January 5, 2009, 33 high-profile Twitter accounts were compromised after a Twitter administrator's password was guessed by a dictionary attack. Falsified tweets — including sexually explicit and drug-related messages — were sent from these accounts.
Twitter launched the beta version of their "Verified Accounts" service on June 11, 2009, allowing famous or notable people to announce their Twitter account name. The home pages of these accounts display a badge indicating their status.
In May 2010, a bug was discovered by Inci Sözlük, involving users that allowed Twitter users to force others to follow them without the other users' consent or knowledge. For example, comedian Conan O'Brien's account, which had been set to follow only one person, was changed to receive nearly 200 malicious subscriptions.
In response to Twitter's security breaches, the Federal Trade Commission brought charges against the service which were settled on June 24, 2010. This was the first time the FTC had taken action against a social network for security lapses. The settlement requires Twitter to take a number of steps to secure users' private information, including maintenance of a "comprehensive information security program" to be independently audited biannually.
On December 14, 2010, the United States Department of Justice issued a subpoena directing Twitter to provide information for accounts registered to or associated with WikiLeaks. Twitter decided to notify its users and said in a statement, "...it's our policy to notify users about law enforcement and governmental requests for their information, unless we are prevented by law from doing so".
A "MouseOver" exploit occurred on September 21, 2010, when an XSS Worm became active on Twitter. When an account user held the mouse cursor over blacked out parts of a tweet, the worm within the script would automatically open links and re-post itself on the reader's account. The exploit was then re-used to post pop-up ads and links to pornographic sites. The origin is unclear but Pearce H. Delphin (known on Twitter as @zzap) and a Scandinavian developer, Magnus Holm, both claim to have modified the exploit of a user, possibly Masato Kinugawa, who was using it to create coloured Tweets. Kinugawa, a Japanese developer, reported the XSS vulnerability to Twitter on August 14. Later, when he found it was exploitable again, he created the account 'RainbowTwtr' and used it to post coloured messages. Delphin says he exposed the security flaw by tweeting a JavaScript function for "onMouseOver", and Holm later created and posted the XSS Worm that automatically re-tweeted itself. Security firm Sophos reported that the virus was spread by people doing it for "fun and games", but noted it could be exploited by cybercriminals. Twitter issued a statement on their status blog at 13:50 UTC that "The exploit is fully patched". Twitter representative Carolyn Penner said no charges would be pressed.
In May 2011, a claimant known as "CTB" (subsequently identified as Ryan Giggs) in the case of CTB v Twitter Inc., Persons Unknown took legal action at the High Court of Justice in London against Twitter., requesting that Twitter release details of account holders. This followed gossip posted on Twitter about Giggs' private life, causing conflict relating to privacy injunctions. Tony Wang, the head of Twitter in Europe, said that people who do "bad things" on the site would need to defend themselves under the laws of their own jurisdiction in the event of controversy, and that the site would hand over information about users to the authorities when it was legally required to do so. He also suggested that Twitter would accede to a UK court order to divulge names of users responsible for "illegal activity" on the site.
On May 29, 2011, it was reported that South Tyneside council in England had successfully taken legal action against Twitter in a court in California, which forced Twitter to reveal the details of five user accounts. The council was trying to discover the identity of a blogger called "Mr Monkey" who allegedly posted libellous statements about three local councillors.
On January 23, 2012, it was reported that Twitter will be acquiring Dasient, a startup that offers malware protection for businesses. Twitter hopes that Dasient will help remove hateful advertisers on the website.
On January 26, 2012, Twitter began offering a feature which would allow tweets to be removed selectively by country. Twitter cited France and Germany as examples, where pro-Nazi content is illegal. Previously, deleted tweets were removed in all countries.
On February 20, 2012, a third-party public-key encryption app (written in Python and partially funded by a grant from the Shuttleworth Foundation) for private messaging in Twitter, CrypTweet, was released.
On May 17, 2012, Twitter announced it would implement the "Do Not Track" privacy option, a cookie-blocking feature found in Mozilla's Firefox browser. The "Do Not Track" feature works only on sites that have agreed to the service.
In August 2012 it was reported that there is a market in fake Twitter followers that are used to increase politicians and celebrities apparent popularity.