Security

Ex-security chief accuses Twitter of cybersecurity mismanagement in an explosive whistleblower complaint

Comment

Twitter sign
Image Credits: Amy Osborne (opens in a new window) / Getty Images

Twitter’s former head of security, Peiter “Mudge” Zatko, has accused his former employer of cybersecurity negligence in an explosive whistleblower complaint first obtained by CNN and The Washington Post.

Zatko, a well-known hacker, was recruited by Twitter to head up the company’s security division in late-2020, months after a very public breach saw hackers hijack the Twitter accounts of some of the world’s most famous people, including Joe Biden and Elon Musk. He was let go from the company less than two years later.

Though his time at Twitter was brief, Zatko says he witnessed “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy,” according to his whistleblower complaint dated July 6, which was filed with the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Justice Department. He told The Washington Post that his public whistleblowing comes after his attempts to flag the security lapses with Twitter’s board were ignored.

Zatko alleges in the complaint, reviewed by TechCrunch, that Twitter lacked basic security controls. He said thousands of employee laptops contained complete copies of Twitter’s source code and that about one-third of those devices blocked automatic security fixes, had system firewalls turned off and had remote desktop access enabled for non-approved purposes. Zatko also accused the company of failing to actively monitor what employees were doing on their computers. As a result, “employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations,” the complaint said.

Zatko also alleges that about 5,000 full-time employees had broad access to the company’s internal software and that access was not closely monitored, giving them the ability to tap into sensitive data and alter how the service worked.

During his time at the company, Zatko said he came across a number of vulnerabilities “waiting to be discovered.” He says he discovered that half of the company’s 500,000 data center servers run on outdated software that do not support basic security features, such as encryption for stored data, or no longer received regular security updates from their vendors. This meant that Twitter suffered from an “anomalously high rate” of security incidents, Zatko said, and “reasonably feared Twitter could suffer an Equifax-level hack,” referring to the 2017 credit agency breach that resulted in the theft of close to 150 million Americans’ personal information.

The complaint alleges that the company had approximately one security incident each week serious enough that Twitter was required to report it to government agencies.

“In 2020 alone, Twitter had more than 40 security incidents, 70% of which were access control-related,” the complaint reads. “These included 20 incidents defined as breaches; all but two of which were access control related.”

Beyond claims of serious cybersecurity failings, Zatko also alleges that the Indian government forced Twitter to hire one of its agents and that the company repeatedly violated the terms of a 2011 agreement with the FTC. The complaint alleges Twitter does not reliably delete users’ data — including direct messages — after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.

The complaint also has potential implications for Twitter’s legal battle with Musk, who is trying to get out of a $44 billion contract to buy the social media platform. Zatko says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and weren’t motivated to do so.

Twitter spokesperson Madeline Broas told TechCrunch in a boilerplate statement: “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Twitter fixes security bug that exposed at least 5.4 million accounts

read more about the Twitter whistleblower on TechCrunch

More TechCrunch

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

GrubMarket buys Butter to give its food distribution tech an AI boost

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares

Meta, the parent company of Facebook, launched an enterprise version of the prominent social network in 2015. It always seemed like a stretch for a company built on a consumer…

With the end of Workplace, it’s fair to wonder if Meta was ever serious about the enterprise

X, formerly Twitter, turned TweetDeck into X Pro and pushed it behind a paywall. But there is a new column-based social media tool in town, and it’s from Instagram Threads.…

Meta Threads is testing pinned columns on the web, similar to the old TweetDeck

As part of 2024’s Accessibility Awareness Day, Google is showing off some updates to Android that should be useful to folks with mobility or vision impairments. Project Gameface allows gamers…

Google expands hands-free and eyes-free interfaces on Android

A hacker listed the data allegedly breached from Samco on a known cybercrime forum.

Hacker claims theft of India’s Samco account data

A top European privacy watchdog is investigating following the recent breaches of Dell customers’ personal information, TechCrunch has learned.  Ireland’s Data Protection Commission (DPC) deputy commissioner Graham Doyle confirmed to…

Ireland privacy watchdog confirms Dell data breach investigation

Ampere and Qualcomm aren’t the most obvious of partners. Both, after all, offer Arm-based chips for running data center servers (though Qualcomm’s largest market remains mobile). But as the two…

Ampere teams up with Qualcomm to launch an Arm-based AI server

At Google’s I/O developer conference, the company made its case to developers — and to some extent, consumers — why its bets on AI are ahead of rivals. At the…

Google I/O was an AI evolution, not a revolution

TechCrunch Disrupt has always been the ultimate convergence point for all things startup and tech. In the bustling world of innovation, it serves as the “big top” tent, where entrepreneurs,…

Meet the Magnificent Six: A tour of the stages at Disrupt 2024

There’s apparently a lot of demand for an on-demand handyperson. Khosla Ventures and Pear VC have just tripled down on their investment in Honey Homes, which offers up a dedicated…

Khosla Ventures, Pear VC triple down on Honey Homes, a smart way to hire a handyman

TikTok is testing the ability for users to upload 60-minute videos, the company confirmed to TechCrunch on Thursday. The feature is available to a limited group of users in select…

TikTok tests 60-minute video uploads as it continues to take on YouTube

Flock Safety is a multibillion-dollar startup that’s got eyes everywhere. As of Wednesday, with the company’s new Solar Condor cameras, those eyes are solar-powered and use wireless 5G networks to…

Flock Safety’s solar-powered cameras could make surveillance more widespread

Since he was very young, Bar Mor knew that he would inevitably do something with real estate. His family was involved in all types of real estate projects, from ground-up…

Agora raises $34M Series B to keep building the Carta for real estate

Poshmark, the social commerce site that lets people buy and sell new and used items to each other, launched a paid marketing tool on Thursday, giving sellers the ability to…

Poshmark’s ‘Promoted Closet’ tool lets sellers boost all their listings at once

Google is launching a Gemini add-on for educational institutes through Google Workspace.

Google adds Gemini to its Education suite

More money for the generative AI boom: Y Combinator-backed developer infrastructure startup Recall.ai announced Thursday it has raised a $10 million Series A funding round, bringing its total raised to over…

YC-backed Recall.ai gets $10M Series A to help companies use virtual meeting data

Engineers Adam Keating and Jeremy Andrews were tired of using spreadsheets and screenshots to collab with teammates — so they launched a startup, CoLab, to build a better way. The…

CoLab’s collaborative tools for engineers line up $21M in new funding

Reddit announced on Wednesday that it is reintroducing its awards system after shutting down the program last year. The company said that most of the mechanisms related to awards will…

Reddit reintroduces its awards system

Sigma Computing, a startup building a range of data analytics and business intelligence tools, has raised $200 million in a fresh VC round.

Sigma is building a suite of collaborative data analytics tools