Twitter's former security head alleges "egregious" security flaws
Twitter's former head of security has filed a whistleblower complaint with the government, alleging the social media company has gaping holes in its security practices and misleads the U.S. government — as well as its own corporate board — about its vulnerability.
The complaint from Peiter Zatko, Twitter's security chief until he was fired in January of this year, claims that Twitter has "extreme, egregious deficiencies" in security, privacy and content moderation. He also contends executives with the blogging platform lied to federal regulators about the strength of its security plan, as the company is required to have under a settlement with the Federal Trade Commission.
The company allegedly has no interest in or ability to calculate the number of bot and spam accounts on the platform, and it mismanages users' personally identifiable information and suffers regular security breaches, according to the complaint.
Zatko filed the complaint earlier this year with the Federal Trade Commission, Securities and Exchange Commission and Department of Justice. CBS News has obtained a version of the 84-page document shared with Congress, which the Washington Post and CNN earlier reported.
"He is very concerned, to the point that he is taking risks that could jeopardize his future career for the purpose of informing regulators, Congress, the public about the consequences given the vulnerabilities he's identified," John Tye, a lawyer with Whistleblower Aid who is representing Zatko, told CBS News.
"What he found inside this company was unlike anything he had seen elsewhere," Tye added. Zatko, who is known by his handle Mudge, has previously worked for Google, Stripe and the Defense Advanced Research Projects Agency.
In a statement to CBS, Twitter took issue with the complaint, saying that Zatko was fired "for poor performance and ineffective leadership."
"What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be," the company said in the statement.
Attorneys for Zatko called Twitter's statement about his performance "false," noting that he had "repeatedly raised concerns about Twitter's grossly inadequate information security systems to the Company's Executive Committee and Board of Directors throughout his tenure."
Zatko was fired two weeks after he "clashed" with CEO Parag Agrawal and Omid Kordestani, Twitter's head of the risk committee, about security problems, the attorneys alleged in a statement.
"Mr. Zatko was tasked with identifying Twitter's serious security vulnerabilities and addressing issues ranging from information security to misinformation which impacted users, shareholders and the public at large," the attorneys said. "In reporting these concerns internally and then to federal agencies and officials, their interests were always paramount."
Lax security, no encryption
Zatko's complaint claims Twitter had poor internal security controls, with up to half of the company's 10,000-strong workforce having access to sensitive user data, 30% of employee computers turning off automatic security updates and no management system for employee phones. Many of Twitter's data centers, which store and process user information, can't support encryption of data, according to Zatko.
Under a 2011 settlement with the FTC, which followed a series of hacks of the platform, Twitter is required to maintain a "comprehensive information security program."
However, "Twitter had never been in compliance with the 2011 FTC Consent Order, and was not on track to ever achieve full compliance," the complaint alleges.
Along with lying to regulators, Twitter executives also routinely gave incorrect information to the company's own board and misrepresented the efficacy of its security practices, Zatko alleges.
Two years ago, Twitter's lackadaisical approach led to the biggest social media hack in history, he also alleged. A Tampa teenager was able to hack into high-profile Twitter accounts, including those of former President Barack Obama, Joe Biden, Jeff Bezos, Michael Bloomberg, Bill Gates and Kim Kardashian West.
According to the complaint, the hack "was pretty simple: Pretending to be Twitter IT support, the teenage hackers simply called some Twitter employees and asked them for their passwords. A few employees were duped and complied and — given systemic flaws in Twitter's access controls — those credentials 'were enough to achieve 'God Mode,' where the teenagers could imposter-tweet from any account they wanted."
Accordign to Tye, these revelations show that Twitter users should be concenrned about their own security on the platform.
"This hopefully will be an opportunity for more regular users to learn how their data is handled, some of the risks of exploitation by foreign agents or bad actors, and to help Americans understand how we can keep these companies accountable to the kind of promises that they're making," he told CBS News.
Zatko also alleges Twitter hired foreign spies, citing claims from a U.S. government source that "one or more particular company employees were working on behalf of another particular foreign intelligence agency."
Senate Intelligence Committee Chair Dick Durbin said the allegations raises "serious concerns" and vowed to investigate. "If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world," the Illinois Democrat said in a statement.
Zatko has met with the Senate Intelligence and Judiciary committees as well as the House Energy and Commerce Committee, according to his lawyer, and is prepared to testify to Congress, Tye said.
No way to measure bots?
Along with allegations of lax security, the complaint echoes criticism from Elon Musk that the platform is overrun by bots, claiming that executives have no way of knowing what portion of accounts were fake. Musk earlier this year offered to buy Twitter for $44 billion, but withdrew his bid in July (A trial on whether he is required by law to complete the deal is scheduled for October.)
"[D]eliberate ignorance was the norm amongst the executive leadership team," Zatko's complaint claims, with the company being unable to even provide a maximum estimate for the total number of spam and bot accounts. The team responsible for site integrity didn't know how to measure bots, was consumed with internal drama and had no incentive from the company to find a truthful number, he alleges.
Zatko claims that one internal verification method used by Twitter, but often disabled, foiled up to 12 million bots per month. In 2021, Twitter created a bonus structure under which employees could earn as much as $10 million for a short-term increase in monetizable daily active users, or mDAU, but no bonus for reducing spam on the platform, the complaint claims.
Twitter has long told regulators that fewer than 5% of its daily active users on the platform are bots. However, that claim is a lie, the complaint claims, because the mDAU metric is already designed to leave out bots and other spam accounts.
A spokesperson for the U.S. Senate's intelligence committee, Rachel Cohen, said the committee has received the complaint and "is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously."
CBS News' Nikole Killion and the Associated Press contributed reporting.