Twitter’s former head of cybersecurity, Peiter Zatko, popularly known as Mudge has accused the company of a number of egregious security flaws and oversights, according to a whistleblower complaint filed with the U.S. government this year.
The complaint, first reported on by The Washington Post and CNN, makes a wide range of damning claims about Twitter, including that members of the company’s board of directors misled the public and government agencies about the company’s security.
Zatko is a well-known “ethical hacker” turned cybersecurity insider and executive who previously held senior roles at Google, Stripe and the US Department of Defense,
He alleged in the complaint that he was told to withhold a major security report from Twitter’s board and to write misleading security documents.
He filed the complaint with the Securities and Exchange Commission, Federal Trade Commission and the Department of Justice in July. Whistleblower Aid, a nonprofit that provides legal assistance to whistleblowers, confirmed the complaint’s authenticity.
Zatco was hired as Twitter’s security lead following a major hack at the company in 2020
Twitter CEO Parag Agrawal fired Zatko in January this year over what the company called “ineffective leadership and poor performance.”
Zatko however said he was fired after he tried to blow the whistle internally about security deficiencies and alleged possible fraud by the company’s senior leaders.
Some of the complaint’s noteworthy allegations include:
- Twitter suffered security incidents significant enough to warrant a report to a government agency about once a week, with 20 breaches in 2020 alone.
- Twitter ( ) has neither the incentive nor the resources to properly measure the full scope of bots on its platform.
- Twitter doesn’t prioritize the removal of spam or bot accounts to the effect that CEO Parag Agrawal has previously described.
- The company has never been in compliance with an agreement it made with the FTC in 2011 to protect users’ personal information.
- Twitter does little to monitor for so-called insider threats, employees or contractors who use their positions in the company to steal information, and instead leaves them “virtually unmonitored.
- Twitter made misrepresentations to regulators such as the Federal Trade Commission and Securities and Exchange Commission about its privacy and security practices
The complaint comes at a particularly sensitive time for Twitter, which is fighting in court to ensure that Tesla CEO Elon Musk goes through with a deal to purchase Twitter for more than $44 billion. Musk is trying to pull out of the deal. Musk’s legal argument rests on alleging Twitter misled investors about its product, including how well it fights fake accounts.
- Read more:
- Elon Musk offers to buy Twitter, take it private
- Elon Musk ends $44bn deal to buy Twitter
- Twitter sues Elon Musk, says he can’t ‘trash the company’ and ‘walk away’
- Twitter uses Elon Musk poop emoji as evidence in lawsuit against him
Zatko’s allegations appear to bolster Musk’s claims about spam on Twitter, with the complaint stating that Agrrawal “knows very well that Twitter executives are not incentivized to accurately ‘detect’ or report total spam bots on the platform.”
Musk lawyer Alex Spiro said the billionaire’s legal team had already subpoenaed Zatko in the dispute with Twitter. “We found his exit and that of other key employees curious in light of what we have been finding,”
On Twitter, Musk appeared to acknolwedged the whisteblower’s emergence.
— Elon Musk (@elonmusk) August 23, 2022
Ifunanya Ikueze is an Engineer, Safety Professional, Writer, Investor, Entrepreneur and Educator.