A well-known “ethical hacker” who was hired by Twitter to overhaul its cybersecurity alleged that the social media giant has become a security risk for the US after it reneged on a deal with the federal government to set up a system that adequately protects user data.
Peiter “Mudge” Zatko — a software engineer who became a star in the hacker community after leading a 1990s-era group called “Cult of the Dead Cow” — filed a complaint with the Securities and Exchange Commission alleging widespread dysfunction at Twitter.
Zatko was named head of security by Twitter two years ago after the company was victimized by embarrassing glitches, including the commandeering by hackers of high-profile accounts belonging to the likes of Barack Obama, Elon Musk, Joe Biden, Warren Buffett, Jeff Bezos, Kim Kardashian, Kanye West and Mike Bloomberg.
But in a filing with the federal government that was first obtained by the Washington Post and CNN, Zatko alleges that Twitter has failed to adhere to a deal with the Federal Trade Commission to plug the cybersecurity holes that led to the hacks.
Zatko accused Twitter of failing to upgrade its server infrastructure, most of which he says is out of date — thus leaving it vulnerable to severe breaches.
He also said Twitter’s failure to safeguard the data of its 238 million users — among them government agencies, heads of state and defense officials — poses a national security risk.
Twitter often loses track of user data even when accounts are deleted, Zatko alleges — a violation of a pledge the company made to the FTC more than a decade ago.
Zatko also accused Twitter of allowing low- and mid-level workers access to the company’s most sensitive controls — potentially making the firm vulnerable to spying and sabotage from hostile foreign actors.
He claims he was fired by the San Francisco-based company early this year after he flagged these issues to superiors.
Zatko also appears to back Elon Musk’s claim that the company is not making adequate efforts to crack down on the proliferation of automated “bot” and spam accounts.
Specifically, Zatko’s complaint claims that Twitter’s leadership is financially incentivized to juice user numbers instead of cracking down on bots. Elon Musk has repeatedly accused Twitter of covering up a bot problem as part of his effort to get out of his $44 billion takeover deal.
The complaint claims that Twitter’s C-Suite could be paid out bonuses worth up to $10 million if they boosted the number of user counts, incentivizing them to ignore the site’s widespread issue with spam accounts.
“Twitter executives have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spam bots,” read the complaint. “Senior management had no appetite to properly measure the prevalence of bot accounts… they were concerned that if accurate measurements ever became public, it would harm the image and valuation of the company.”
Zatko describes a tense relationship with Twitter CEO Parag Agrawal, who is accused of discouraging the then-executive from giving the company board a full accounting of the site’s security flaws.
Instead, Zatko alleges, he was told to give a misleadingly glowing report to the board in order to deceive it into thinking the company was addressing its safety lapses while concealing the true scope of the problem.
Musk, who earlier this year agreed to buy Twitter for $44 billion and take it private, recently sought to back out of the deal — prompting the company to file a lawsuit in Delaware seeking to compel the Tesla CEO to follow through on the acquisition.
Shares of Twitter fell 7.3% on Tuesday to $39.86.
A spokesperson for Twitter dismissed Zatko’s allegations, telling CNN that the firm views cybersecurity and safeguarding user data as top priorities. The company insists that Zatko was fired for poor performance.
“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” the Twitter spokesperson told CNN.
“While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.”
“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders,” the company rep said.
“Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”