A whistleblower has come forward alleging that Twitter has serious cybersecurity issues stemming from inadequate leadership that could pose a threat to users' personal information, to company shareholders, to national security, and even to democracy as a whole, according to a disclosure obtained by CNN.
The whistleblower is Twitter's former Head of Security, Peiter "Mudge" Zatko, who describes "a chaotic and reckless environment at a mismanaged company." He says that too many employees have access to the social media giant's central controls and most sensitive information.
Zatko accuses senior executives of covering up Twitter's most severe vulnerabilities and misleading the board and government regulators. He went so far as to say he believes that one or more Twitter employees are working for a foreign intelligence service.
The disclosure also alleges that Twitter does not reliably delete user data after cancelling an account, and that the company does not have the resources to understand the number of bots on the platform, something that has become central to the conversation surrounding Elon Musk's attempt to buy the company.
Zatko was fired from Twitter in January 2022, which adds further intrigue to the accusations.
Twitter whistleblower Peiter 'Mudge' Zatko
Zatko is a very well known ethical hacker who previously held senior roles at Google, Stripe, and the U.S. Department of Defense, and was offered a senior cyber position with the Biden Administration.
He was hired on at Twitter by former CEO and founder Jack Dorsey after a major hack compromised some of the most famous accounts in the world, including those of Joe Biden, Barack Obama, Kim Kardashian, Elon Musk, and many others.
Zatko tried to bring some security concerns to the board of director, saying he wanted to help fix years of technical shortcomings and alleging non-compliance with the Federal Trade Commission (FTC). But with Dorsey stepping down as CEO, the leadership did not want to listen and dismissed his claims.
Zatko was later fired for "poor performance" and said he felt he had no choice but to come forward and share what information he had with Congress and the appropriate federal agencies.
A Twitter spokesperson gave this statement after the disclosure, saying security and privacy are a top priority for the company:
"Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.
Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be."
It would certainly be believable for a former employee to hold a grudge if they felt they had been unjustly fired, and what better way to do it than to become a whistleblower? But, as mentioned before, Zatko is very well known within the cybersecurity industry, and many have come to his defense in this situation.
Casey Ellis, Founder and CTO at Bugcrowd, shares his opinion:
"Mudge has a long and rock-solid reputation of putting integrity first. He's also one of those InfoSec elders who rarely sticks their neck out to make a fuss, but when they do it's almost certainly worth paying attention to. This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time.
Judging by the way the InfoSec community has closed ranks around him this morning, others clearly feel the same way. InfoSec doesn't suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves."
Ellis also shared that he was pleased to see this incident sparking discussion around labeling social media platforms as critical infrastructure and the implications social media has to national security, especially with the U.S. midterm elections around the corner.
Aaron Turner, CTO at Vectra, echoed similar sentiment about Zatko:
"I've known Mudge since his days at Cult of the Dead Cow. When I was at Microsoft, he and the @stake team helped us fundamentally improve our security strategy and tactics. As I've worked across government projects over the last 20 years, I would say that his work at DARPA made a significant difference in the way that the US government approached cyber security.
He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems."
With testimonies like these to Zatko's character—and there are many more out there—it's reasonable to think he does want the truth to come out and to improve national security.
But, do these claims really rise to the level of concern for national security? Senator Chuck Grassley, the top Republican on the Senate Judiciary Committee, said he believes they do. Grassley said:
"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster. The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further."
Zatko alleges much more about Twitter in the 200-page disclosure to Congress. See the article by CNN for more information.
