The feature, known as “two-factor” authentication, is already used by companies like Google and Apple and works by sending a pin code via text message to a user’s cell phone. Twitter has details and a tutorial video here.

The decision to add an extra security feature comes after hackers have repeatedly gained control of high profile Twitter feeds. The most prominent example occurred last month when hackers used the Associated Press’s account to say bombs had injured President Obama. The fake tweet roiled financial markets and led to calls for Twitter to improve its security features.

Attackers have also targeted CBS, the BBC and the Onion. The latter offered a candid account of how the hackers phished employees accounts and induced some of them, including a person with control over social media passwords to share log-in information.

Two factor authentication would likely have prevented those attacks because the attackers would have had to enter a password sent to the employee’s cell phone.

In case you missed it, the AP’s Twitter account was suspended yesterday afternoon after the fake tweet — possibly posted by the Syrian army — caused a temporary shock to stock markets, which rely on news wires like the AP for up-to-date information.

On Wednesday morning, the AP announced its Twitter feed had returned and began tweeting ordinary news items (though initially forgetting to delete the hoax tweet):

The @AP Twitter account, which was suspended after being hacked, has been secured and is back up. Thank you for your patience. – @EricCarvin—
The Associated Press (@AP) April 24, 2013

Most of the account’s followers, however, appear to have disappeared. At the time of the hacking incident, the AP had nearly 2 million followers:

As of Wednesday morning at 9:30 ET, however, the AP account had fewer than 100,000 followers:

I’ve asked the AP for an explanation and am still waiting on a response. At this point,Twitter may be adding the followers back gradually; the 85,454 figure is almost double the number from earlier this morning.

Update: The AP says its social media editor ”was told by Twitter that it can take up to 24 hours for the follower count of a suspended account to return to normal.”

If the followers have indeed been wiped out, this would represent a serious blow for the AP. Like other news organizations, the AP relies heavily on social media outlets to disseminate its stories, and an organization’s (or person’s) number of Twitter followers can stand as proxy for influence.

The AP hacking incident has also led to calls for Twitter to introduce a security feature known as 2-step authentication.

Twitter has since suspended the account and the AP issued the following statement: “Advisory: @AP Twitter account has been hacked. Tweet about an attack at the White House is false. We will advise more as soon as possible.”

The episode shows again, as it did during the Boston tragedy, the mischief that can occur as a result of huge number of people instantly relaying false information through false tweets. The Anonymous hacker news account, for instance, saw its reporting of the message retweeted almost 500 times:

Breaking: Two Explosions in the White House and Barack Obama is injured via @AP—
Anonymous (@YourAnonNews) April 23, 2013

In the last year, Twitter has become an essential news source not only for news outlets but for the financial community. This month, Bloomberg incorporated Twitter feeds into its terminals while the SEC gave companies the green light to use it for relating market moving news.

Update: The AP has since issued this tweet from a separate account associated with its political news outlet:

All, AP's Twitter accounts will be suspended until we can be assured of their security. Do not respond to any news posted by these accounts.—
AP Politics (@AP_Politics) April 23, 2013

The strange Twitter activity took place after hackers apparently took control of Burger King’s account and replaced its name and image with the McDonald’s logo. Here is a screenshot of what followers of @burgerking saw on Monday:

The blue checkmark beside the @burgerking name indicate that this is indeed Burger King’s official Twitter account. Other tweets included:

This is why we were sold to @mcdonalds! All of our employees crush and sniff percocets in the bathrooms =[ @dfnctsc twitter.com/BurgerKing/sta…

— McDonalds (@BurgerKing) February 18, 2013

It’s unclear who is behind  the mischief but the tweets’ references to “lulz’ and “@youranonnews” suggest the hacker collective Anonymous is involved.

Meanwhile, regular Twitter users are having a merry time speculating on how this may have happened:

haha! re: j.mp/W018Vi : RT @cebsilver .@scottmonty "What was the account password?" SM Intern: "It was 'whopper.'" "You're Fired."—
  (@jeffscott) February 18, 2013

It’s accepted as common wisdom for big brands to have an active presence on social media but this incident shows how things can go very wrong. Previous Twitter disasters involve McDonald’s buying a sponsored hashtag to promote “McDStories” only to see users tell tales of gross food and alleged animal cruelty.

As of early Monday afternoon Eastern Time, the Burger King account was still under control of the hackers.

Update: At 1:15 ET, Twitter said the account had been suspended. As Frank Reed notes in the comments below, the incident may not be all bad it’s given Burger King more publicity than it’s had in a long time. And, as a hacker account notes:

With @BurgerKing getting hacked they got a 30% rase in followers, remember to unfollow.—
Anonymous (@YourAnonNews) February 18, 2013

As for McDonald’s, the company offered this response:

We empathize with our @BurgerKing counterparts. Rest assured, we had nothing to do with the hacking.—
McDonald's (@McDonalds) February 18, 2013

The incident stems from a highly publicized incident in February in which a Stanford graduate student discovered that Google was using trickery in order to by-pass ad-blocking settings on Apple’s Safari browser. The scheme involved coding ads to masquerade as form submissions in order to install advertising cookies (see my colleague Tom Krazit’s great explanation of the tricky business — and its relation to Google+ — here).

While other companies and app makers may have engaged in similar chicanery, the Federal Trade Commission appears determined to hit deep-pocketed Google hard. The Journal reports that the FTC’s $22.5 million punishment is based on Google’s failure to tell the truth about its advertising practices.

The federal agency has in recent years emerged as the country’s de facto chief privacy cop even though the laws governing the agency aren’t particularly designed to do this. While other countries have special Privacy Commissioners, the FTC instead relies on its traditional powers to regulate “deceptive” and “unfair” trade practices.

The FTC recently used these powers to slap a 20-year “consent decree” on Google to punish it for missteps related to its ill-fated Google Buzz social network. That consent decree in turn provided the FTC with powers to fine Google $16,000 a day if it violated the terms of the decree. That is what appears to have happened here: Google didn’t comply with terms of the decree that requires it to tell users about its advertising practices.

Google also faces a series of private class action suits over the Safari incident. The news of the FTC fine comes at a time when every large technology company is confronting lawsuits and regulatory scrutiny over their privacy practices.

(Image by Suzanne Tucker via Shutterstock)

A complaint filed in San Jose cites a “troubling lack of security measures” and accuses LinkedIn of negligence and breach of contract for failing to encrypt its user database with industry standard security measures. The incident resulted in hackers posting users’ information online but it is not yet clear how much data they obtained.

The lead plaintiff in the case is Katie Szpryka who paid for an upgraded account with the social network. The lawsuit, which also covers a separate class of users with free accounts, adds that LinkedIn breached California consumer protection laws. It cites a FTC complaint from 2003 in which the federal regulator accused the Guess! clothing company of unfair trade practices for storing customer information in an unencrypted database with poor security.

The case is likely to turn on whether LinkedIn did enough to protect its users accounts and whether it did enough to notify users of the hacking incident. The breach was first reported by a Norwegian security firm and then publicized by numerous technology sites but LinkedIn appears to have dithered for more than twelve hours before telling users that data had been compromised.

Critics claim LinkedIn should have used a common practice known as “salting” to make the passwords harder to decrypt.

The LinkedIn case is just the latest in a parade of class actions in which technology companies stand accused of violating user privacy. As we reported yesterday in regard to the latest $10 million Facebook settlement, money from the lawsuits rarely goes to users.

The complaint is below. It was first reported by CourtHouse news service.

Linkedin Class Actionhttp://www.scribd.com/embeds/97589713/content?start_page=1&view_mode=list&access_key=key-1yhcpot45wk857owp3z9

Photo courtesy of Shutterstock user [Blazej Lyjak].

On Thursday, the CBS-owned, London-based music website became the latest website — after LinkedIn and eHarmony — to reveal that its data had been stolen, asking users to change their passwords after a dump of around 1.5 million passwords appeared on a cryptography forum.

Over the weekend, product chief Matthew Hawn posted an update saying that the hack had become apparent after a tip-off, and that the company had already upgraded its security as a result:

“Earlier this week, Last.fm received an email that let us know a text file containing cryptographic strings for passwords (known as “hashes”) that might be connected to Last.fm had been posted to a password cracking forum. We immediately checked the file against our user database and, while this review continues, we felt it was important enough to act on.

“We immediately implemented a number of key security changes around user data and we chose to be cautious and alert Last.fm users. We recommend that users change their password on Last.fm and on any other sites that use a similar password. All the updated passwords since yesterday afternoon have been secured with a more rigorous method for user data storage.”

But, while details of the attack only appears to have come to light in the last few days, evidence suggests that it actually happened at least three months ago — and that the company failed to catch it in the meantime.

In May, a number of users reported that they had been spammed at email addresses that could have only been available through Last.fm’s service. Customer support manager Matt Knapman responded by saying the company was investigating the incident and examining its systems for potential security breaches.

“We are investigating this matter urgently, running a security audit and looking at alternative ways the spamming of Last.fm users might have occurred.”

It appears this audit did not find evidence of the breach, nor did it uncover when the attack had taken place.

The timeline remains something of a mystery, but, despite rumors that it is the result of a breach that occurred in 2011, as suggested in this Reddit comment, I have learned that the attack most likely happened in February or March — a three full months before the first evidence spilled online.

The security flaw responsible, however, goes much, much further back. Former Last.fm developer Russ Garrett admitted on Twitter that he was responsible for failing to implement extra levels of password cryptography when he wrote the original security code as an 18-year-old in 2003, adding later that he “very much regretted” not fixing the issue before he left the company around three years ago:

@jgrahamc ultimately the unsalted MD5 auth was doing. In my defence: I was 18. It was 2003. The PHP community had no idea of bcrypt then.

— Russ Garrett (@russss) June 7, 2012

But even this is not the whole story: it explains why hackers were able to get crackable versions of user passwords, but not how they were able to access the data in the first place. How that happened, I am led to believe, is still being looked into.

I’ve contacted Last.fm for comment, but it is yet to reply.

The hacking collective is claiming responsibility for levelling a successful distributed denial of service (DDOS) attack on the websites of Virgin Media.

Virgin became the first UK ISP to block its subscribers’ access to The Pirate Bay last week, following a High Court ruling that the Bay breaches record label copyrights and should be blocked by five such providers.

#Anonymous have just taken down #VirginMedia website again because of their involvement in the #Censorship of The Pirate Bay #TPB #OpTPB

— Anonymous UK (@AnonUK) May 8, 2012

But The Pirate Bay does not appear to be on the same page as Anonymous. According to its Facebook page:

“We do NOT encourage these actions. We believe in the open and free internets (sic), where anyone can express their views. Even if we strongly disagree with them and even if they hate us.

“So don’t fight them using their ugly methods. DDOS and blocks are both forms of censorship.”

Virgin Media tells The Register:

“Our website, virginmedia.com, has been the subject of denial of service attacks so we took the site offline for a short period of time. We’re aware some groups are claiming the attacks are a result of the recent High Court order which requires ISPs to prevent access to The Pirate Bay.

“As a responsible ISP, Virgin Media complies with court orders but we strongly believe that tackling the issue of copyright infringement needs compelling legal alternatives, giving consumers access to great content at the right price, to help change consumer behaviour.”

“We conclude, therefore, that Rupert Murdoch is not a fit person to exercise the stewardship of a major international company.”

That is one damning conclusion in the report in to whether a committee of 10 cross-party parliamentarians was mis-led during its hearings in to phone hacking at the News Of The World newspaper.

MPs’ disagreement

But the report’s authors are riven along party lines over this conclusion, which was inserted by Labour MP Tom Watson. Despite agreeing to several other conclusions, four Conservative members voted against the report as a whole because they could not agree with Watson’s addition regarding Murdoch.

“It was stuck in on the basis of no evidence whatsoever,” committee member Louise Mensch, a Conservative MP, told a remarkable press conference. “We all felt that was wildly outside the scope of a select committee. It will correctly be seen as a partisan report. It’s not for this committee to advise News Corp shareholders.”

The headline-grabbing line was proposed by MP Tom Watson, the most dogged of News Corp’s parliamentary pursuers, who is publishing a book on the whole affair, and who said: ”More than any individual alive, he (Rupert Murdoch) is to blame.”

Due to the disagreement, the committee is referring the report up for endorsement by the House Of Commons itself.

Committee member Damian Collins, a Conservative, said the matter of Murdoch’s fitness should be left to UK media regulator Ofcom, which is deliberating whether BSkyB and News Corp are fit to hold a broadcasting license.

James’ competence ‘astonishing’

The committee concluded unanimously it had been misled by former News International and Dow Jones CEO Les Hinton, former News Of The World legal manager Tom Crone, former News Of The World editor Colin Myler and by News International corporately.

It did not find evidence it had been misled by Rupert or James Murdoch. But it does make a slur on James’ executive abilities whilst he helmed News International: “We are astonished that James Murdoch did not seek more information … this clearly raises questions of competence on the part of News International’s then Chairman and Chief Executive.” That line was voted against by just two of the 10 committee members.

What happens next

Don’t bet on this ending any time soon:

• Committee chair John Whittingdale conceded matters are now in uncharted waters. Perjury charges for misleading parliament cannot be ruled out.
• Accountability to parliament. “There is precedent for an offender to be called before the House (Of Commons) and be admonished,” Whittingdale said.
• Despite not being unanimously agreed, the slur on Rupert’s fitness may play negatively with News Corp shareholders.
• James has already stepped back from several related board seats in an early attempt at damage control.

Final Report VOL I News Int and Phone-Hacking

• The father and son were already scheduled to give evidence to the Leveson Inquiry in to UK press standards over Tuesday, Wednesday and Thursday morning.
• Parliament’s culture select committee is due on May 1 to publish its long-awaited report in to phone hacking – expected to criticise James’ management.
• And on Monday communications regulator Ofcom said it is investigating whether email hacking at News Corp’s Sky News TV channel breaches its code prohibiting “any infringement of privacy”.

Sky News head John Ryley recently admitted to the hacking as “very clearly in the public interest”. But, appearing on Monday at the same committee which the Murdochs will grace later this week, Ryley was told by Lord Leveson: ”A criminal offence doesn’t have a public interest defence.”

Breach of privacy, as a lesser, civil offence, may arguably carry a public interest defence, Leveson told Ryley, who conceded he had only sketchy knowledge of the Misuse Of Computers Act and the Regulation Of Investigatory Powers Act which govern computer and phone hacking respectively.

News Corp in 2010 launched a bid to buy the 39.1 percent of Sky News operator BSkyB which it did not already own, a move which would move the conglomerate further in to pay-TV, ISP, telco and multi-platform content operations.

But it withdrew its bid a year later as the phone hacking furore surrounding News Corp’s News International engulfed the company.

Ofcom regulates UK broadcasting standards and spectrum, owners of which must satisfy its qualifier of “fit and proper” operators. Its Sky News inquiry matters because further stink threatens to drag BSkyB in to News Corp’s mire and to make any return to the acquisition attempt less likely.

It also makes for an additional talking point for the Murdochs this week.

Ryley also told Leveson: “It’s highly unlikely, in the future, that Sky would consider breaking the law. I am pretty much ruling it out. But journalism is, at times, a tough business – at times, we need to shed light in to wrongdoing.”

After the parliamentary committee publishes its report on May 1, News Corp will have just one week to react before it must speak with investment analysts when it unveils Q3 earnings on May 9.