Twitter whistleblower alleges ‘egregious deficiencies’ in security measures

Twitter's former head of security has accused the company of "extreme, egregious deficiencies" in its handling of user information and spam bots in a scathing whistleblower complaint.

Peiter Zatko, a veteran hacker and security expert known as "Mudge", says the company has deceived users, board members and the federal government about the strength of its security measures. Zatko was hired in 2020 by the Twitter co-founder and then CEO Jack Dorsey to strengthen the company's security after a mass hack targeted 130 high-profile Twitter accounts.

"Twitter is grossly negligent in several areas of information security," Zatko wrote in an analysis written in February that was included in the complaint. "If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter's severe lack of security basics."

Zatko filed the complaint, which was first reported by the Washington Post and CNN on Tuesday morning, to the Securities and Exchange Commission (SEC), Department of Justice and the Federal Trade Commission (FTC). A redacted version of the complaint has been sent to multiple congressional committees.

The filing alleges that Twitter has violated its 2011 settlement with the FTC where the company said it would create an extensive security plan to protect users' personal information. Zatko says that user data, including those coming from Twitter's most high-profile verified handles, are vulnerable to hacks.

A specific issue Zatko raises is the access that thousands of Twitter employees have to the company's core software and the low security he sees many of their hardware have. The complaint alleges that about 30% of laptops in the company automatically blocked updates that included security fixes.

Zatko accused Twitter executives of purposefully misleading the company's board of directors about these vulnerabilities. A presentation shown late last year to the board's risk committee said that 92% of employees' computers had security software installed. But Zatko alleges executives, despite his protests, failed to tell them that a third of the company's computers were still vulnerable.

After Zatko internally reported that the risk committee's meeting may have been fraudulent, he was fired by Agrawal in January.

Twitter has come under fire in recent months for its handling of sensitive user information. Earlier this month, a former Twitter employee was found guilty of spying on Saudi dissidents and passing their information on to the Saudi government. The company was also fined $150 by the US federal government for collecting user email addresses and phone numbers for security purposes and then using them for marketing purposes.

The complaint also argues that Twitter has not been upfront about the number of spam bots it deals with. Zatko said he could not get the company to tell him a straight answer on how much spam and bots exist on the platform. He said that Agrawal was "lying" when he said in May that Twitter was "strongly incentivized to detect and remove as much spam" as possible and that company executives were instead encouraged to grow user numbers.

In a statement, Twitter has denied Zatko's accusations and said that he was fired for poor performance and leadership.

"What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context," the company told CNN in a statement. "Mr Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be."

Zatko told the Washington Post that he felt "ethically bound" to report his findings and that it "is not a light step to take".

The complaint comes amid Twitter's legal battle with Elon Musk after Musk dropped his plans to purchase the company for $44bn, saying the company has underplayed the prevalence of bots on its platforms. Representatives for Zatko told CNN he had not been in contact with Musk. Meanwhile, Musk's attorney Alex Spiro said that they have issued a subpoena for him and "found his exit and that of other key employees curious in light of what we have been fighting". The company is scheduled to go to trial with Musk in Delaware in October.