Using Twitter's public data for spying is "absolutely unacceptable."
Twitter reiterated its policy that restricts third-parties from employing public data or data products for surveillance.
The practice, recently used by police to profile protesters and activists, is "absolutely unacceptable," the microblogging site said.
Last month, law enforcement officials in Baltimore and Oakland, Calif., used analytics software from Geofeedia to monitor demonstrators via Twitter, Facebook, and Instagram.
Following a report by the ACLU, the social media firm promptly curtailed Geofeedia's access.
"We prohibit developers using the Public APIs and Gnip data products from allowing law enforcement—or any other entity—to use Twitter data for surveillance purposes. Period," Chris Moody, general manager of data and enterprise solutions, wrote in a blog entry.
Moving forward, the company intends to expand its efforts, with plans to add more resources for pursuing complaints about misuse of information.
Twitter will also continue running its internal review process, rejecting requested use cases "where appropriate."
Anyone who violates these rules may face suspension and termination of access to Twitter data.
"As a company, our commitment to social justice is core to our mission and well established," Moody said. "And our policies in this area are long-standing."
Twitter is built on content that people choose to share publicly, and has benefited from innovation and creation. News alerts based on tweets, for instance, help first responders react to emergencies and natural disasters.
"We believe this is an important service and support developers doing this important work." Moody added.
And while the crackdown won't stop law enforcement officials from making formal requests or conducting its own searches, it will make the process more difficult.
"The vast majority of developers respect the voices of people using Twitter, and we appreciate and support the creative and innovative work being done by these developers every day," the company said.
Instead, the hackers amassed the stolen credentials by combining information from other recent breaches and via password-stealing malware on victims' machines. "Regardless of origin, we're acting swiftly to protect your Twitter account," Twitter Trust and Information Security Officer Michael Coates wrote in a blog post. Twitter's security team cross-checked the information from this and other recent leaks with the company's records and identified "a number" of accounts with exposed passwords.
Twitter has locked all affected accounts; if yours is among them you should have already received an email, and will need to need to reset your password. The site also recommends that users enable login verification, its two-factor authentication tool.
Coates called this "the single best action you can take to increase your account security." Other actions you can take: set up a strong password, and don't reuse it on other websites and consider using a password manager such as 1Password or LastPass to ensure you're using strong passwords everywhere. "The recent prevalence of data breaches from other websites is challenging for all websites — not just those breached," Coates wrote. "Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites.
If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account."
Before the account was suspended, it claimed the password protecting the NFL Twitter feed was "olsen3culvercam88." The Daily Dot said someone connected to the IDissEverything account claimed the password was revealed after someone managed to get into the email of a social media staffer at the NFL, where we found the credentials in a message." It's still not clear how the group got access to the e-mail account. Tuesday's breach was only the latest one to affect a high-profile Twitter user.
Facebook founder and CEO Mark Zuckerberg recently saw his dormant Twitter account taken over by someone who discovered its password—"dadada"—was the same one that protected his LinkedIn account. Zuckerberg's LinkedIn account, in turn, had been compromised in a 2012 breach of the career networking site. Other celebrities, including Kate Perry, Lana Del Rey, and Kylie Jenner have also reportedly had their Twitter accounts taken over in recent days. In 2012 and 2013, a long list of news organizations also saw their Twitter accounts hijacked by a group calling itself the Syrian Electronic Army. When the group took over the Twitter account of the Associated Press, it used the unauthorized access to send a bogus report falsely claiming that the White House had been bombed and President Obama was injured. Twitter provides two-factor authentication through a smartphone app that makes account takeovers much harder to carry out. Users who are willing to divulge their phone number to the microblogging service should strongly consider using it.