Twitter executives attempted to deceive regulators about major security problems that make users’ personal information vulnerable to hackers, according to a new whistleblower complaint.
The complaint, filed by the former Twitter head of security Peiter Zatko, alleges that Twitter had “extreme, egregious deficiencies” in its security practices and failed to take sufficient measures to protect its hundreds of millions of users.
ELON MUSK SUBPOENAS FORMER TWITTER CEO DORSEY OVER BOT ESTIMATES AND MERGER PLANS
Zatko’s most serious accusations include that Twitter violated its 2011 settlement with the Federal Trade Commission when it falsely claimed it had a security plan, according to a copy of the complaint acquired by the Washington Post. The former security head claims the company’s servers relied on older and more vulnerable software and that executives withheld information from Twitter’s board of directors about the vulnerabilities and attempted to present them with irrelevant information.
Zatko filed the complaint last month with the Securities and Exchange Commission, the Justice Department, and the FTC.
The vulnerabilities revealed allowed at least one hacker to access several celebrities’ accounts, including that of former President Barack Obama, to try and request bitcoin from users, he said.
Twitter also emphasized user growth over combating spam, according to Zatko, who added that Twitter CEO Parag Agrawal was “lying” when he claimed the company was “strongly incentivized” to remove any and all spam from the platform. The website changed its metrics in 2019 from tracking total users to tracking “monetizable daily active users.” While these numbers are used by Twitter to sell its offer to advertisers, there remain millions of accounts that are not categorized as mDAUs due to them being spam bots or not monetizable. When Zatko asked for an accurate count, he was told by executives that they “don’t really know.” He said he was also told by members of Twitter’s site integrity team that “senior management had no appetite to properly measure the prevalence of bot accounts.”
Twitter also had been forced to put an agent of the Indian government on its payroll, according to Zatko.
A redacted version of the complaint went to congressional committees. The FTC is also reviewing the allegations listed in the complaint.
Zatko claims he was “ethically bound” to file the complaint after Agrawal fired him in January.
Twitter denied Zatko’s claims and alleged that his complaint is based on false or out-of-date information.
“Mr. Zatko was fired from Twitter more than six months ago for poor performance and leadership, and he now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders,” Rebecca Hahn, Twitter’s global vice president of communications, told the Washington Post.
Congressional leaders have already voiced concerns about Zatko’s revelations.
“The whistleblower’s allegations of widespread security failures at Twitter, willful misrepresentations by top executives to government agencies, and penetration of the company by foreign intelligence raise serious concerns,” Senate Majority Whip Dick Durbin (D-IL) said in a statement. “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world. As Chair of the Senate Judiciary Committee, I will continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations.”
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Zatko has long worked in security and online hacking. The 51-year-old programmer is considered one of the first few members of the hacker community to develop relationships with the government and was involved in developing L0phtCrack, one of the most potent tools for cracking passwords. Zatko had also testified before Congress in 1999 about the internet’s susceptibility to hacks and founded one of the first hacking consultancies backed by venture capital.
The revelations in Zatko’s complaint could have legal implications for Twitter’s battle with Elon Musk. The company is attempting to force Musk to uphold his contract after the billionaire withdrew from the deal over claims that Twitter had lied about the number of spam bots on its platform. Zatko argued Musk’s suspicions about spam bots are “on target” and that the way Twitter determines “daily active users” is designed “precisely to avoid having to honestly answer the very questions Mr. Musk raised.”
