Skip to main content

Former Twitter security head says company’s systems have ‘extreme, egregious deficiencies’

Update: Elon Musk’s lawyers have now issued a subpoena to speak to Zatko about the claims.

Former Twitter security head Peiter Zatko has filed a formal complaint that the company has “extreme, egregious deficiencies” in its protections against hackers, and has done little to defeat spam.

He accuses the company of deceiving the Federal Trade Commission (FTC), following promises made back in 2011 after hackers twice took full control of Twitter …

The Washington Post reports:

Twitter executives deceived federal regulators and the company’s own board of directors about “extreme, egregious deficiencies” in its defenses against hackers, as well as its meager efforts to fight spam, according to an explosive whistleblower complaint from its former security chief.

The complaint from former head of security Peiter Zatko, a widely admired hacker known as “Mudge,” depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.

Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.

Zatko filed his complaint with the FTC, as well as the Securities and Exchange Commission (SEC) and Department of Justice (DOJ).

The complaint goes on to allege that Twitter CEO Parag Agrawal lied when he said that the company was “strongly incentivized” to detect and remove spam. Zatko says that there were no bonuses tied to reducing spam, while execs could earn as much as $10M in bonuses for increasing daily active users – whether or not those accounts were spambots.

This latter claim will doubtless be seized upon by Elon Musk, who is currently fighting a legal battle after pulling out of a promised buyout of the social network. Musk claimed the company was not honest about the number of spam accounts.

Update: Musk hadn’t responded as of this update, but his lawyers have.

Twitter denies the allegations. Spokesperson Rebecca Hahn told the Post that Zatko had been fired for “poor performance and leadership,” and seemed to be intent on revenge. “[He] now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.” She said the 84-page complaint was “riddled with inaccuracies.”

Hahn said that Twitter security and privacy had been revamped in 2020, while the company removed more than a million spam accounts per day.

Senior Senate Judiciary Committee member Charles E. Grassley (R-Iowa) said that there were national security implications, given the potential for harm by a bad actor gaining control over the accounts of politicians and media organizations.

Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster. The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.

Twitter security failures include a 2020 incident in which a teenager managed to take over many high-profile accounts, including Apple, Joe Biden, Elon Musk, Jeff Bezos, Bill Gates, Mike Bloomberg, Kayne West, Uber, Floyd Mayweather, Warren Buffett, and Barack Obama. The 17-year-old was subsequently sentenced to three years in prison.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications