A former employee accuses Twitter of big security lapses in a whistleblower complaint
Updated August 23, 2022 at 5:19 PM ET
Peiter Zatko, who until January served as Twitter's security head, has filed an explosive whistleblower complaint, alleging the company ignored major security vulnerabilities and misrepresented the number of "bots," or fake accounts, on the platform.
Zatko, who's also a well-known former hacker known as "Mudge," filed the complaint last month with the Securities and Exchange Commission and the Federal Trade Commission. The complaint was first reported by The Washington Post and CNN.
Zatko claims Twitter executives ignored multiple security vulnerabilities, including failing to follow basic conventions like properly safeguarding staff access to core software, promptly deleting closed accounts, and updating security software on company laptops and servers.
The whistleblower also accuses Twitter of misleading federal regulators about its progress toward tightening up the privacy and security of its users' accounts after a major hack.
The complaint adds that Twitter's policy toward fake accounts incentivized "deliberate ignorance" by undercounting spam accounts and providing bonuses to executives for growing the number of users on the platform, but not sniffing out bots.
Twitter's security vulnerabilities makes the platform vulnerable to foreign spies, hacking and disinformation campaigns, Zatko further alleges.
The claims come as Twitter battles Elon Musk
The complaint comes at a sensitive time for Twitter, which is preparing for a high-profile legal battle to compel billionaire Elon Musk to buy the company after he agreed to a $44 billion purchase deal.
But Musk is now looking to back out of the deal, arguing primarily that Twitter wasn't forthcoming about the number of bots and spam among daily active users on its platform – which the social media company has strongly denied.
The dispute between Twitter and Musk is scheduled to go to trial on Oct. 17.
Zatko was hired as Twitter's security head in 2020 by former CEO Jack Dorsey after teenage hackers took over high-profile verified accounts, including those belonging to former President Obama, then-presidential candidate Joe Biden, and Musk.
Twitter, in a statement, said Zatko's complaints are "riddled with inconsistencies and inaccuracies" and said he was fired for poor performance in January. It added the complaint was "opportunistic" and "designed to capture attention and inflict harm on Twitter, its customers and its shareholders."
Zatko said he tried to warn Twitter's risk committee in January that executives were ignoring security flaws, but was fired by CEO Parag Agrawal two weeks later.
Copyright 2022 NPR. To see more, visit https://www.npr.org.