Twitter’s former head of security Peiter “Mudge” Zatko has accused his former employer of cybersecurity negligence in an explosive whistleblower complaint first obtained by CNN and The Washington Post.
Zatko, a well-known hacker, was recruited by Twitter to head up the company’s security division in late-2020, months after a very public breach saw hackers hijack the Twitter accounts of some of the world’s most famous people, including Joe Biden and Elon Musk. He was mysteriously let go less than two years later.
Though his time at Twitter was brief, Zatko says he witnessed “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy,” according to his whistleblower complaint dated July 6, which was filed with the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Justice Department. He told the Washington Post that his public whistleblowing comes after his attempts to flag the security lapses with Twitter’s board were ignored.
Zatko alleges in the complaint, reviewed by TechCrunch, that Twitter lacked basic security controls. He said thousands of employee laptops contained complete copies of Twitter’s source code and that about one-third of those devices blocked automatic security fixes, had system firewalls turned off, and had remote desktop access enabled for non-approved purposes. Zatko also accused the company of failing to actively monitor what employees were doing on their computers. As a result, “employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations,” the complaint said.
Zatko also alleges that about 5,000 full-time employees had broad access to the company’s internal software and that access was not closely monitored, giving them the ability to tap into sensitive data and alter how the service worked.
During his time at the company, Zatko said he came across a number of vulnerabilities “waiting to be discovered.” He says he discovered that half of the company’s 500,000 datacenter servers run on outdated software that do not support basic security features, such as encryption for stored data, or no longer received regular security updates from their vendors, This meant that Twitter suffered from an “anomalously high rate” of security incidents, Zatko said, and “reasonably feared Twitter could suffer an Equifax-level hack,” referring to the 2017 credit agency breach that resulted in the theft of close to 150 million Americans’ personal information.
The complaint alleges that the company had approximately one security incident each week serious enough that Twitter was required to report it to government agencies.
“In 2020 alone, Twitter had more than 40 security incidents, 70% of which were access control-related,” the complaint reads. “These included 20 incidents defined as breaches; all but two of which were access control related.”
Beyond claims of serious cybersecurity failings, Zatko also alleges that the Indian government forced Twitter to hire one of its agents and that the company repeatedly violated the terms of a 2011 agreement with the FTC. The complaint alleges Twitter does not reliably delete users’ data — including direct messages — after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.
The complaint also has potential implications for Twitter’s legal battle with Musk, who is trying to get out of a $44 billion contract to buy the social media platform. Zatko says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and weren’t motivated to do so.
Twitter spokesperson Madeline Broas told TechCrunch in a boilerplate statement: “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”