In a whistleblower complaint, Twitter’s former security chief accused the company of “extreme, serious deficiencies” in handling user information and spam bots.
Peter Zatko, a veteran hacker and security expert named “Mujh,” says the company misled users, board members, and the federal government about the strength of its security measures. Zatko was hired by Twitter co-founder and then-CEO Jack Dorsey to tighten the company’s security in 2020 after a massive hack targeted 130 high-profile Twitter accounts.
“Twitter is grossly negligent in many areas of information security,” Zatko wrote in a February analysis involved in the complaint. “Unless these issues are addressed, regulators, media and users of the platform will be shocked to learn of Twitter’s inevitable serious lack of security fundamentals.”
Zatko filed the complaint, which was first reported to the Securities and Exchange Commission (SEC), the Department of Justice and the Federal Trade Commission (FTC) by the Washington Post and CNN Tuesday morning. A revised version of the complaint was sent to several congressional committees.
The filing alleges that Twitter violated a 2011 agreement with the FTC, in which the company said it would put in place a comprehensive security plan to protect users’ personal information. According to Zatko, user data obtained from Twitter’s most popular verified handle is vulnerable to hacks.
A specific issue Zatko addresses is that thousands of Twitter employees have access to the company’s core software and what he sees as poor security as many of their hardware. The complaint alleges that about 30% of the company’s laptops automatically block updates with security fixes.
Zatko accused Twitter executives of intentionally misleading the company’s board about these vulnerabilities. A presentation shown to the board’s risk committee late last year said that 92% of employees’ computers had security software installed. But Zatko claims that despite their protests, officials didn’t tell them that a third of the company’s computers are still vulnerable.
Jatco was fired by Agarwal in January after reporting internally that the risk committee meeting may have been fraudulent.
Twitter has come under fire in recent months for its handling of sensitive user information. Earlier this month, a former Twitter employee was found guilty of spying on Saudi dissidents and leaking their information to the Saudi government. The company was also fined $150 by the US federal government for collecting users’ email addresses and phone numbers for security reasons and then using them for marketing purposes.
The complaint also argued that Twitter doesn’t know exactly how many spam bots it’s dealing with. Zatko said he couldn’t ask the company to specify how many spam and bots are on the platform. He said Agarwal “lied” when he said in May that Twitter was “strongly encouraged to detect and remove as much spam as possible” and that the company’s executives instead increased user numbers. was encouraged.
In a statement, Twitter has denied Zatko’s allegations, saying he was fired for poor performance and leadership.
“What we have seen so far is a false narrative about Twitter and our privacy practices that is fraught with contradictions and inaccuracies and lacks critical context,” the company said in a statement to CNN. “Mr. Zatko’s allegations and opportunistic timing appear to be designed to harm and draw attention to Twitter, its customers and shareholders. Security and privacy have long been a priority for Twitter and will continue to be so.”
Jatko told the Washington Post that he felt “morally obliged” to report his findings and that “this is not an easy step.”
The complaint comes amid Twitter’s legal battle with Elon Musk, after Musk abandoned his plan to buy the company for $44 billion and said the company downplayed the proliferation of bots on its platforms. Jatco officials told CNN they had no contact with Musk. Meanwhile, Musk’s attorney, Alex Spiro, said he issued a subpoena for him and “determined that he and other key personnel are eager to step down given what we are fighting.” The company is scheduled to test with Musk in Delaware in October.