Twitter executives hid “extreme, egregious deficiencies” in its defenses against hackers and spam, according to a whistleblower complaint from its former security chief.
The complaint from former head of security Peiter Zatko, known as “Mudge,” depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users, including government agencies, heads of state, and other influential public figures.
The Washington Post got a copy of the complaint, which claims Twitter breached an 11-year-old FTC settlement by fraudulently claiming to have a solid security plan. Zatko’s complaint states he informed colleagues that half the company’s servers ran outdated and dangerous software and that executives hid grim information about data breaches and lack of protection, instead presenting directors with rosy charts measuring insignificant changes.
The complaint, filed last month with the SEC, DOJ, and FTC, says thousands of employees still had wide-ranging and poorly tracked internal access to core company software. This led to embarrassing hacks, including the commandeering of accounts held by Elon Musk, Barack Obama, and Donald Trump.
Whistleblower paper claims firm emphasized user growth over combating spam, even if unwelcome content hurt user experience. The case claims executives could have won $10 million for increasing daily users, but nothing for decreasing spam.
The complaint says that CEO Parag Agrawal lied when he said the company was “highly incentivized to detect and remove spam.”
Zatko highlighted his choice to go public as an outgrowth of his prior efforts revealing software defects and cybersecurity systemic failings. After a massive hack, former CEO Jack Dorsey hired him in late 2020.
“Ethically bound” Zatko, who was fired by Agrawal in January, said this is no small step. He wouldn’t address Twitter beyond the legal complaint. Under SEC whistleblower guidelines, he’s entitled to legal protection and monetary compensation.
Congress received a redacted version of the 84-page filing. A top Democratic official on Capitol Hill provided the Post with the disclosure. Whistleblower Aid represents Zatko. Two persons familiar with the probe say the FTC is evaluating the allegations. The Post interviewed more than a dozen current and former employees, many of whom spoke anonymously to discuss sensitive information.
Twitter spokeswoman Rebecca Hahn said security and privacy are company wide concerns. She said Zatko’s charges were “riddled with misinformation” and he was “opportunistically aiming to destroy Twitter, its customers, and its stockholders.” Hahn said Twitter fired Zatko for “poor performance and leadership” Zatko’s attorneys said he was sacked but disputed performance or leadership reasons.
Hahn said Twitter has increased security since 2020, that its methods are industry-standard, and that it has guidelines about who may access business servers.
Hahn claimed Twitter removes 1 million spam accounts per day, or 300 million per year. Expanding daily users is the lowest of three reasons for receiving cash bonuses, along with growing revenue and another financial target, according to Twitter’s proxy papers.
Twitter “completely stands behind” its SEC filings and spam-fighting tactics, Hahn added.
An individual acquainted with Zatko’s tenure claimed the corporation reviewed his security allegations and found them sensationalistic and unfounded. Four people familiar with Twitter’s spam measures said the firm uses manual and automatic techniques to measure and decrease spam.
SEC, DOJ, and FTC said nothing.
The Legal Battle
The complaint might affect Twitter’s legal battle with Musk, who wants out of a $44 billion deal to buy the social media network. Twitter agrees to provide correct shareholder filings. Musk claims Twitter underestimated the amount of bots on its network, which should let him off the hook. In October, Delaware Chancery Court will hear the case.
Musk tweeted a Jiminy Cricket meme with the words “Give a Little Whistle” after this article was published.
In a February review for the corporation, Zatko concluded, “Twitter is highly careless in several information security areas.” Regulators, the media, and Twitter users will be startled if these flaws aren’t fixed.
Zatko’s complaint contends Twitter, which maintains sensitive user data, should have prioritized security. Many prominent personalities and dissidents use Twitter to communicate at tremendous risk.
An ex-Twitter employee was convicted of spying on Saudi dissidents and government critics in exchange for cash and gifts.
Zatko claims the Indian government pushed Twitter to hire one of its agents with access to user data during protests. The complaint says supporting evidence was sent to the Justice Department’s National Security Division and the Senate Intelligence Committee. Another source said the employee was likely an agent.
The Senate Intelligence Committee wants to meet with Zatko to discuss his concerns.
Combine a computer platform that collects large amounts of user data with a weak security architecture and foreign state actors with an agenda, and you have a formula for disaster, said Senate Judiciary Committee Chairman Charles E. Grassley (R-Iowa). His office discussed the claims with Zatko. The Twitter whistleblower’s assertions raise national security and privacy concerns and must be investigated.
Many reputable voices use Twitter to convey messages fast, so a hijacked account might cause panic or violence. In 2013, a captured AP handle erroneously tweeted about White House explosions, sending the Dow Jones tumbling 140 points.
After a teenager hijacked the verified accounts of Obama, Biden, Musk, and others in 2020, Twitter’s CEO at the time, Jack Dorsey, encouraged Zatko to join him, stating he could serve the world by solving Twitter’s security and improving public dialogue, Zatko claims in the complaint.
Three people acquainted with Dorsey’s statements said he respected the hacker’s trailblazing background. He wouldn’t comment. In 1998, Zatko told Congress that he and others could shut down the internet in a half-hour. He later led cyber grants at the Pentagon’s Defense Advanced Research Projects Agency, which sponsored the internet’s creation.
According to the complaint, Zatko found pervasive problems at Twitter and unresponsive leadership.
Twitter’s security issues predate Zatko’s arrival in 2020. In 2009, hackers acquired administrative control of Facebook and reset passwords and accessed user data. First, hackers sent tweets from Fox News and Obama’s accounts in January.
A hacker guessed an employee’s administrative password after getting access to their personal email. This hacker reset at least one user’s password and accessed sensitive Twitter data.
The FTC investigated and sued Twitter, leading to one of the first significant tech privacy consent orders. Twitter pledged in 2011 to build, monitor, and adjust user security.
In 2017, a contract worker briefly took over Trump’s account, and in 2020, a Florida minor deceived Twitter officials and gained access to verified accounts. Twitter added protections.
A former FTC officer who worked on the case said the agency was understaffed at the time and failed to closely monitor many businesses after privacy settlements, including Twitter.
The Justice Department accused Twitter of requesting users’ phone numbers for security and then marketing. Twitter agreed to pay $150 million for allegedly violating a 2011 injunction prohibiting misrepresentations concerning personal data security.
Whistleblower Aid claims Twitter’s security was worse than regulators thought.
The complaint alleges Zatko found the corporation had made little progress since the 2011 settlement. The allegation claims he reduced the safety case backlog from 1 million to 200,000, added employees, and pushed for results.
According to the complaint, Zatko identified serious loopholes in the company’s FTC requirements. According to Zatko’s complaint, the 2011 order mandated Twitter to develop a Software Development Life Cycle program to ensure new code is bug-free. The complaint states that other workers told the board and FTC they were rolling out the software to Twitter’s systems. Zatko claims it was supplied to only a tenth of the company’s projects and was optional.
David C. Vladeck, head of the FTC’s Bureau of Consumer Protection at the time of the settlement, said if Zatko’s charges are proven, the company might face hefty penalties.
Vladeck, a Georgetown Law professor, stated, “If all that’s true, there are order violations.” Twitter may still have the same issues it had 11 years ago.
The complaint also alleges that Zatko told the board early in his employment that overlapping data center outages could leave the company unable to restart its servers. The service may have been down for months or lost all data. A “catastrophic” situation endangered the platform’s viability in 2021, the complaint states, without providing details.
One present and one former employee recalled the incident, when outages at two Twitter data centers caused service issues. One of them worried if the company would last a few days.
Current and former employees agreed that disclosures to privacy regulators were “misleading at best.”
The business implied it had removed all user data who asked, but the content had spread so broadly within Twitter’s networks, it was hard to tell for sure. The current Twitter employee said Project Eraser will delete such material. A person familiar with the incident claimed Twitter merely said the accounts were deactivated and improved its capacity to discover and erase material.
Zatko says he oversaw the removal of several bots as head of security, per the complaint. Twitter has long battled spam bots, or automated tweeters. Twitter users can program bots, unlike other social media sites. Twitter lets people create profiles without using their real names, making it tougher to discern authentic, duplicate, and automated accounts.
Wall Street has questioned Twitter over bots since the firm has previously counted automated accounts as everyday users, even though they don’t see advertisements and can’t generate revenue. In 2019, the company modified their calculation to focus on ad viewers and clickers. Twitter estimates fewer than 5% of monetizable daily users are spam and bots in every quarterly SEC filing since.
Zatko claims he couldn’t obtain a straight answer about spam and bots throughout all of Twitter, not only among monetizable users.
Zatko cites a “sensitive source” who stated Twitter feared revealing the number because it “would hurt the company’s reputation and valuation.” He thinks the company’s spam-detection capabilities are weaker than suggested.
The complaint argues Agrawal’s tweets and Twitter’s blog articles imply Twitter uses proactive, sophisticated mechanisms to measure and eliminate spam bots. The reality: obsolete, unmonitored, simplistic scripts and overworked, inefficient, underfunded human employees.
The engineering and integrity teams run software that samples hundreds of tweets per day, and 100 accounts are sampled manually.
Some battle organizers said they were short-staffed. One stated bosses were “apathetic.”
Zatko’s acquisition indicates CEO-level leadership failure. Three current and former employees said Dorsey’s absence during the epidemic made it difficult for Zatko to acquire rulings on who should be in charge of what and easier for opposing executives to avoid collaborating.
According to the complaint, Zatko handled complaints and encountered falsehoods. He commissioned an outside assessment that revealed one misinformation team having empty positions, linguistic difficulties, and a lack of technical tools and engineers. The writers argued Twitter has no way to stop untruth spreaders.
Three employees and two others familiar with the process said Dorsey made no attempt to incorporate Zatko at the company. In 12 months, Zatko could only arrange six 30-minute one-on-one calls with his employer Dorsey, who was also CEO of payments business Square, now known as Block. Dorsey allegedly said 50 words to Zatko in a year. The complaint states they exchanged “a couple dozen text conversations.”
Zatko claims inertia prevented him from solving some of the most significant concerns.
30% of work laptops prevented automated security updates, and many had Twitter’s source code, the report said. A successful hacker takeover of one of those machines might have sabotaged the product easily, current and former employees said. Engineers pushed out modifications without first testing them in a simulated environment.
Tony Sager, former chief operating officer of the National Security Agency’s Information Assurance division, called it “near-incredible” that a large-scale project lacked a development test environment and a controlled source-code management methodology. “Most attack scenarios are fair game and easy to execute.” Sager leads a consensus effort to create best security practices at the Center for Internet Security.
Half of Twitter’s 7,000 full-time employees had unmonitored access to the company’s core software, allowing them to access sensitive data and change how the service worked. Three current and former employees concurred.
Former U.S. top information security officer Gregory Touhill remarked, “Only view and access what you need to execute your job.” If half the company can make production configuration changes, the company and its customers are at danger.
Dorsey never urged anybody to deceive the board, but others left out damaging news, the complaint states.
When Dorsey resigned in November 2021, Agrawal, who was CTO before Zatko’s hire, inherited a difficult situation, the complaint states.
According to the lawsuit, an unnamed executive prepared a presentation for the new CEO’s first board meeting. Zatko deems the presentation deceptive.
The presentation showed that 92% of employee computers had security software installed, without noting that 33% were unsafe, according to the complaint.
Another figure implied a decrease trend in the number of persons with overly broad access, based on the small subset of people with “God mode” access. Hundreds. Zatko had labeled broad access to core systems a major problem when he joined, although it had expanded modestly and remained in the thousands.
The presentation featured only a subset of major intrusions or other security incidents, from a total Zatko assessed as one each week, and it indicated unrestricted internal access to critical systems caused merely 7% of occurrences, although Zatko measured the real proportion as 60%.
The complaint alleged Zatko stopped the Dec. 9, 2021 presentation. Agrawal objected, but a week later he sent it to the Risk Committee.
Agrawal didn’t remark. In an email to staff published by The Post, he claimed privacy and security remain major priorities for the company and that the narrative is “riddled with inconsistencies” and “presented without crucial context.”
“We’ll seek all paths to defend our company’s integrity,” he stated.
Zatko reported to the Audit Committee on Jan. 4 that the Risk Committee meeting may have been fraudulent.
Then Agarwal fired him. Zatko agreed with the company’s instruction to write down his concerns, even without his work email and papers, according to the complaint.
Since Zatko’s departure, Twitter’s instability has increased with Musk’s May takeover. Many staff have gone, and Agrawal has fired executives and frozen projects.
Zatko sought to enhance the company by introducing more scrutiny and responsibility.