Former Twitter security chief blows whistle on platform's failure to protect user data, poses national security risk

AP Photo/Jeff Chiu, File

A “white hat” hacker, Peiter “Mudge” Zatko, revealed that Twitter has become a massive security risk for the United States after it went back on a deal with the federal government to set up a system to secure its user data. 

Zatko, a software engineer who used to lead the 1990s hacking crew “Cult of the Dead Cow,” filed a complaint with the U.S. Securities and Exchange Commission alleging Twitter’s failure to protect its users. 

Twitter hired Zatko as its head of security two years ago while it was dealing with numerous controversies surrounding its poor security, including several high-profile hacks that targeted numerous celebrities and political figures, including Joe Biden, Elon Musk, Jeff Bezos, Kanye West, and Kim Kardashian. 

According to the Washington Post on Tuesday, Zatko informed the SEC that Twitter failed to adhere to its deal with the Federal Trade Commission to fix all of the security gaps that allowed hackers to gain access to those high-profile accounts in the first place. 

Hackers used the compromised accounts to scam their millions of followers with fraudulent links that provided the cybercriminals with access to even more accounts. 

According to Zatko, Twitter failed to upgrade its server infrastructure, which he claims is out of date and vulnerable to known exploits. Furthermore, Twitter’s negligence and safeguarding the data of its hundreds of millions of users, which includes heads of state, members of the intelligence community, and official government accounts, poses a risk to national security. 

In his filing of the SEC, Zatko alleged that Twitter even loses track of user data when accounts are deleted, with no ability to retrieve the lost data. Twitter’s failure to secure such information on its platform is a violation of its pledge to the Federal Trade Commission.

Additionally, Zatko accused Twitter of providing access to some of the platform’s most sensitive functions to low-level workers across the company, effectively making the platform vulnerable to espionage and sabotage. 

The hacker and security expert alleges that Twitter fired him in early 2022 after he flagged his concerns to executives, and described a tense relationship with company CEO Parag Agrawal, whom he accused of discouraging him from giving the board of directors a full accounting of Twitter's security flaws. 

Zatko alleges that he was instructed to produce a glowing report to the board to deceive it into thinking that the company was well on its way toward plugging all of its security problems. Effectively, he alleges that Agrawal discouraged him from disclosing the extent of the platform’s problems to the board in charge. 

“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” said a Twitter spokesperson to CNN in response to the SEC filing. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.”

“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders,” the representative added. “Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”

Zatko’s allegations lend credence to Elon Musk’s claims that the company is failing to crack down on its bot and automated spam account problem – a point that one can easily infer from his SEC filing.