In November 2020, Twitter, then run by Jack Dorsey, hired a new security chief; renowned hacker and security expert Peiter Zatko, aka Mudge, aka, the guy who led a program to detect espionage for DARPA. Twitter had just suffered a huge breach in July, when an attacker took over accounts of public figures like Bill Gates.
In January of 2022, Twitter, run by then by CEO Parag Agrawal, fired Zatko. And in July, Zatko filed a 200-page complaint with the Securities and Exchange Commission (SEC), accusing Twitter of deceiving shareholders and violating its agreement with the FTC on security standards.
That brings us to now. CNN and the Washington Post have received copies of the filing, published redacted versions of it and interviewed Zatko.
There are more many allegations and details in the filing, but here are some of the main ones.
Zatko says around 5,000 full-time employees have access to sensitive user data and software that can change how the service works. If true, this is a security risk, both because it is a high number of targets for phishing attacks and because of possible actions that could be taken by those employees themselves.
For example, during the January 6th riots in the US, Zatko says he wanted to lock down internal access to prevent employees from attacking the platform from within. He alleges that was impossible since all engineers had access and the access was not logged.
He also alleges that Twitter hired an agent of India's government who had access to sensitive Twitter user data.
And he says that Twitter's method of measuring the percentage of bots on the service is misleading. He notes that there are bonuses tied to increasing daily active users but not to reducing spam and bots.
Finally, let's recall that Twitter reached an agreement with the US FTC in 2010 to safeguard user's personal info. Zatko alleges that Twitter repeatedly makes "false and misleading statements" to users and the FTC that violate that agreement. Particularly, he said servers run out-of-date software.
Twitter says that Zatko was fired for poor performance and ineffective leadership and while it hasn't seen the full filing, from what it has seen, it says it seems, inconsistent, inaccurate and lacking important context. So what happens next?
The FTC is reviewing the complaint which could possibly lead to fines. Zatko has also been subpoenaed in the lawsuit between Twitter and Elon Musk, though the SEC filing itself will not bear directly on that case.
And the US Congress is preparing to chat with Zatko as well.