What are the Twitter whistleblower’s allegations against company?
Famed hacker Peiter ‘Mudge’ Zatko was fired by social media platform in January 2022
Your support helps us to tell the story
This election is still a dead heat, according to most polls. In a fight with such wafer-thin margins, we need reporters on the ground talking to the people Trump and Harris are courting. Your support allows us to keep sending journalists to the story.
The Independent is trusted by 27 million Americans from across the entire political spectrum every month. Unlike many other quality news outlets, we choose not to lock you out of our reporting and analysis with paywalls. But quality journalism must still be paid for.
Help us keep bring these critical stories to light. Your support makes all the difference.
He is one of the world’s most famous hackers and leading cybersecurity experts.
Now Peiter “Mudge” Zatko has become a whistleblower and submitted a string of allegations of repeated security violations by his former employer: Twitter.
Mr Zatko, 51, was the company’s head of security from November 2020 to January 2022. He was allegedly fired by CEO Parag Agrawal after he flagged the issues and began cooperating in a formal investigation with Twitter’s compliance officer.
Now he has given his findings to US regulatory agencies, which in turn have been shared with members of the US Congress.
In the document, Mr Zatko makes a string of allegations against Twitter, accusing the company’s top executives of violations of the Federal Trade Commission Act and Securities and Exchange Commission regulations.
He claims that the company has not been honest about privacy issues and data security and has been subject to major breaches by foreign governments.
It comes just weeks before Elon Musk’s legal showdown with Twitter as he tries to extricate himself from a $44bn deal to buy the company.
The entrepreneur has alleged that Twitter has not been honest about the number of fake or bot accounts on the platform.
Mr Zatko says in his documentation that the company has been “lying about bots” to Mr Musk and that an accurate account of those accounts would negatively impact the bonuses paid to senior executives.
Mr Zatko’s allegations were sent to the US Securities and Exchange Commission, the Bureau of Consumer Protection at the Federal Trade Commission, and the civil and antitrust divisions of the Justice Department, according to CNN.
In a statement to The Independent, a Twitter spokesperson said that Mr Zatko had been fired by the company for “ineffective leadership and poor performance.”
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the statement says.
“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be. “
These are the most serious allegations made against Twitter.
Twitter allowed agents of foreign governments to access data
Mr Zatko claims that Twitter’s security issues were a matter of national security and that they hired two people he believes were agents of India’s government.
He alleges that the employees had “direct unsupervised access” to the company’s internal information.
In the documents, he says that the US government told the company in 2022 that at least one of their employees was working for a foreign intelligence agency.
He also says that before he became CEO, Mr Agrawal had supported Twitter’s expansion in Russia, despite the censorship and surveillance in the country.
Twitter does not accurately count bots and fake accounts
This is one of the main issues in Mr Musk’s decision to walk away from his $44bn deal to buy the platform.
Twitter has claimed that just five per cent of its accounts are fake or bots, something that Mr Musk has claimed is inaccurate.
Mr Zatko claims that Twitter has been “lying” to the Tesla CEO about bots and that the real number is far higher than they have acknowledged.
He claims that the number comes from a sampling of a subset of accounts, known as “monetizable daily active users,” or mDAUs.
Twitter uses this data to let advertisers know how many people are looking at their ads, and it is designed to exclude bots.
He claims that top executives’ bonuses are linked to mDAUs and the real number of bots becoming public would “hurt the image and valuation of the company”.
Twitter’s poor internal security
Mr Zatko alleges that the company is “decades” behind companies like Google and Facebook in security protocols, and that while he was at the company it suffered a major security breach every single week.
He claims that too many Twitter employees have unnecessary access to internal systems and the company is vulnerable to phishing schemes by hackers.
In 2020, a teenager posed as a member of the company’s IT team and got access to credentials that allowed him to hack into the accounts of Barack Obama and Joe Biden to scale more than $100,000 in Bitcoin from users.
He also says that during the January 6 riots, he tried to limit access for employees to internal systems but was told that too many employees had irrevocable access and it could not be done.
The silence of Jack Dorsey
Mr Zatko claims that former CEO Jack Dorsey suffered a “drastic loss of focus” in 2021, was only sporadically in meetings and was rumored to remain silent for “days or weeks”.
Mr Dorsey has said he has practiced Vipassana meditation, an ancient Buddhist meditation technique that can involve 10 days of silence.
He says in the disclosure that while in the job he received “little to no actual support for his task of fundamentally changing the risky behaviors of over 8,000 employees and the entire corporate culture.”
He also claims he was asked to downplay the extent of Twitter’s issues to the company’s board.
Fired for raising concerns
Mr Zatko says that he had a difficult relationship with Mr Agrawal, who previously oversaw security at the company.
He alleges that at Mr Agrawal’s first board meeting as CEO in 2021, Mr Zatko was concerned that Mr Agrawal would downplay the company’s issues and wrote to him that his presentation contained “numerous and some significant, misrepresentations.”
The following month, Mr Zatko says he emailed Mr Agrawal and told him that his presentation documents to the Risk Committee had been “at worst fraudulent.”
Mr Agrawal wrote back to him to say that the company had launched an investigation into his claim, and asked him to write a report to support his allegation.
Mr Zatko says that he was fired less than two weeks later before he had a chance to file the report. The CEO publicly stated that the decision to remove him was based on “an assessment of how the organization was being led and the impact on top priority work.”
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments