The tale of Twitter and its cybersecurity negligence

Twitter’s former head of security alleges that the social media company has been negligent and lax on cybersecurity as well as privacy protections for years.
30 August 2022

The tale of Twitter and its cybersecurity negligence. (Photo by Glenn CHAPMAN / AFP)

  • A former security chief of Twitter has accused the social media giant of “extreme, egregious deficiencies” in terms of cybersecurity, putting the company’s users and shareholders, as well as national security, at risk.
  • About half of Twitter’s 7,000 employees are given access to user data.
  • The company also has “no visibility or control” over thousands of devices used to access core company systems.

Last month, the US Securities and Exchange Commission (SEC) received a complaint, accusing Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. In the complaint, totaling more than 200 pages, hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko paints a picture of a chaotic and reckless environment at Twitter, a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. 

Firstly, Zatko was previously the company’s head of security, joined in 2020, following a massive hack on Twitter under the helm of Jack Dorsey. With the belief that the platform is a “critical resource” for the world, Zatko eventually grew appalled by the refusal of CEO Parag Agrawal to tackle the company’s many security failings. Eventually, Zatko was fired by Twitter in January this year, a move he claims was made in retaliation for his refusal to stay quiet about the company’s vulnerabilities.

In an interview with The Washington Post,  Zatko said his public whistleblowing comes after he attempted to flag the security lapses to Twitter’s board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the FTC. “I believe I am still fulfilling my obligation to Jack and to users of the platform. I want to finish the job Jack brought me in for, which is to improve the place.” 

For context, Zatko’s allegations mainly surround Twitter’s leadership, that he claims has misled its own board and government regulators about the platform’s security vulnerabilities. The vulnerabilities include some that could allegedly open the door to foreign spying or manipulation, hacking and even disinformation campaigns.

Let’s take a look at some of the most significant accusations laid out by Zatko.

Indiscriminate access at Twitter

One of the most significant parts of Twitter’s vulnerability is that too many employees have access to critical systems, Zatko claimed in his complaint. He stated that around half of Twitter’s 7,000 or so full-time employees have access to users’ sensitive personal data and internal software, an access that is not closely monitored. He also alleges that thousands of laptops contain complete copies of Twitter’s source code.

Failure to delete

The complaint states that Twitter has, in the past, failed to delete users’ data when requested because such records are spread too widely among internal systems to be properly tracked. A current employee told The Washington Post that the company just completed a project, known as Project Eraser, to ensure proper deletion of user data.

Twitter has been misleading the FTC

You read that right — the Zatko complaint shows that Twitter has “never been in compliance” with a 2011 Federal Trade Commission settlement related to charges that it failed to protect consumers’ data— a significant and early example of government regulators reigning in Big Tech. Zatko’s complaint claims Twitter has repeatedly made “false and misleading statements” to users and the FTC, violating this agreement.

Yes Elon Musk, Twitter have more bots than it claims

Twitter has repeatedly claimed that less than 5% of its monthly daily active users are bots, fake accounts, or spam. However, Zatko’s complaint says Twitter’s method of measuring this figure is misleading and that Twitter executives are “not incentivized to accurately ‘detect’ or report total spam bots on the platform.” Instead, they are incentivized to boost the company’s monetizable daily active user (mDAU) counts with bonuses that can exceed US$10 million. He also claims Twitter does not have the resources to fully understand the true number of bots on the platform.