Twitter’s former head of security, one who has a storied history of ringing the warning bell about internet security, has now come out full blast on Tuesday against his former employer alleging incredibly lax security at all levels of the company that continues to put users’ personal data at incredible risk.
Peiter “Mudge” Zatko, a former hacker and cybersecurity expert, told CNN and Washington Post reporters that Twitter has vulnerabilities from the top down, that half of all employees have access to users’ personal data, that company heads failed to protect consumers’ personal info, that Twitter has let government agents infiltrate the company, and that their method of counting bots fails to accurately assess how many fake accounts are prevalent on the platform.
The whistleblower said that not only does Twitter often fail to delete user data when customers choose to nix their accounts, but half of the company—thousands of full-time employees—have access to that same user data. A ludicrous number of employees also have access to the platform’s “production environment” which allows them to make changes to Twitter itself, according to interviews with Zatko. The company did not log who had gone in or what they changed. This was something the former hacker said was incredibly concerning considering events like the Jan. 6 insurrection, where one of thousands of employees who may have been sympathetic to the insurrectionists could have tried to manipulate the platform, according to CNN.
Zatko also alleges Twitter has let government agents infiltrate the company. A related Washington Post report says Zatko told federal officials and lawmakers he believed the Indian government had put the squeeze on Twitter to hire one of their agents. The whistleblower has apparently sent more details related to that claim to the National Security Division of the Justice Department alongside the Senate Intelligence Committee.
The head-spinning allegations from Zatko are in conjunction with a 200 page whistleblower letter sent to multiple federal agencies and lawmakers on Capitol Hill alleging all manner of subversion and lies that present an actual danger to “national security and democracy” (which is especially concerning considering the upcoming Midterm Elections). The complaints were apparently sent July 6, according to the reports.
According to the cover letter to the 200 page whistleblower document provided to congressional lawmakers—shared by CNN—Zatko had worked at Twitter for more than a year from November 2020 to January 2022, and that he believes Twitter is “in violation of numerous laws and regulations.” Zatko had been hired by then-Twitter CEO Jack Dorsey after a massive hack in 2020 but quickly found friction with then-Chief Technology Officer Parag Agrawal, who was named CEO after Dorsey left his position last November. Zatko was fired in January and sent a letter to Twitter’s board in February alleging Twitter had massive holes in security, according to the CNN and WaPo reports.
Zatko even alleges Agrawal proposed to Zatko that Twitter should comply with demands that the company let Russia open their local offices to the country, likely for the purposes of censorship and to attack dissidents.
We reached out to Whistleblower Aid, the nonprofit organization aiding Zatko with his whistleblower complaints. Though a spokesperson told Gizmodo they were precluded from sharing the full whistleblower complaint, they did confirm the authenticity of the document as shared by the Washington Post.
CNN reporter Donie O’Sullivan shared a letter sent to staff by Twitter CEO Agrawal telling the company’s 7,000 or so employees that Zatko’s narrative was “false” and “riddled with inconsistencies and inaccuracies.”
“We will pursue all paths to defend our integrity as a company and set the record straight,” Agrawal wrote.
A Twitter spokesperson said in an email statement sent to Gizmodo: “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
In an email statement sent to Gizmodo, John Tye— the chief disclosure officer of Whistleblower Aid and Zatko’s lawyer, said “Mudge stands by everything in his disclosure, and his career of ethical and effective leadership speaks for itself. The focus should be on the facts laid out in the disclosure, not ad hominem attacks against the whistleblower.”
Of course, these allegations of giving employees access to user data comes soon after the U.S. convicted a former Twitter employee for allegedly working on behalf of Saudi Arabian Crown Prince Mohammed bin Salman. Feds said U.S. citizen Ahmad Abouammo had worked at Twitter and used his access to send user info on Saudi dissidents over to MBS. Abouammo had apparently worked as a media partnership manager to promote the platform to nations North Africa and the Middle East, but apparently even he had access to user data.
Back in 2010, the Federal Trade Commission settled with Twitter over allegations it failed to safeguard user info, and had let hackers infiltrate the platform two times in a row due to a weak password setup. Hackers were able to send fake tweets from accounts as high-profile as then-President Barack Obama. Twitter was barred from misleading users, but Zatko said Twitter had “never been in compliance” with that order, and that it constantly suffers security incidents approximately once per week that are serious enough to require disclosing to the federal government.
Twitter has long struggled to keep on the straight and narrow with how it handles user data. It had to pay the FTC $150 million this past May for giving advertisers access to users’ phone numbers and emails, which Twitter said was not on purpose. The company has been routinely incompetent with personal information. Security researchers noticed that Twitter’s first attempts to allow users to send money to each other could result in them sending out their home address.
And of course, Zatko’s allegations about bots have inflamed Elon Musk and his crusade to end his Twitter buyout deal. So far, Twitter’s lawyers have had the upper hand in proceedings, claiming that Musk’s claims of bot overload were “factually inaccurate.” Now, Musk’s lawyer Alex Spiro told reporters they have “already issued a subpoena to Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
Zatko’s lawyer told CNN that Zakto had not been in contact with Musk and that he had started this process even before Musk first hinted he wanted to buy Twitter earlier this year.