Twitter’s former Head of Security Peter Zatko has gone public with accusations that the social media company is structurally incapable of protecting users from harmful activity, and that executives have been actively providing misleading or fraudulent information to regulators, customers, the board, and investors.
Zatko, who goes by the well-known hacker alias ‘Mudge’, last month submitted a whistleblower complaint to US corporate regulators alleging, among other things, that internal tools which have previously been hacked to take over prominent accounts are still in use with limited oversight.
Twitter hired Zatko in 2020 following an embarrassing security breach that saw accounts belonging to the likes of Bill Gates, Kanye West, and Elon Musk hacked to promote a Bitcoin scam.
According to redacted and recently published whistleblower disclosure documents, Zatko had been instructed by Twitter CEO Parag Agrawal to provide the company’s board with documents about security they both knew were “false and misleading”.
He also claims to have “prepared comprehensive written materials to educate the board on his findings about the company’s extensive security, privacy and integrity problems” but was told to keep them quiet.
The issues within Twitter supposedly include lack a of basic security for employee devices – such as automatic updates not being applied to a large cohort of staff – and data servers not having appropriate updates or encryption enabled.
Twitter denies its former Head of Security’s allegations and said he was fired for “ineffective leadership and poor performance”.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” Twitter said.
“Mr Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders.
Zatko’s explosive evidence adds complexity to the very public court battle case between Twitter and Elon Musk, due to take place later this year.
Musk has since tried to squirm out of the deal, saying Twitter misled him about how many bots are on the platform.
Zatko directly claims Twitter lied to Elon Musk about bot accounts because executives “have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spam bots” in part because they were worried accurate spam bot numbers “would harm the image and valuation of the company”.
Instead, Twitter shifted focus toward its measure of ‘monetisable daily active users’ (mDAU) which is a measure of the number of accounts that are probably not bots, which is given to advertisers.
“Twitter has an outsized influence on the lives of hundreds of millions around the world, and it has fundamental obligations to its users and the government to provide a safe and secure platform,” Zatko’s representatives from Whisleblower Aid, at a US organisation aimed at helping whistleblowers, said in a statement.
“It has taken the courage of a high-level whistleblower with an impeccable reputation for ethics and integrity for law enforcement agencies, and the public, to learn the truth.”