Twitter’s former top security official, Peiter Zatko, has alleged that company executives endangered national security through “egregious deficiencies” in privacy and security and systematically misled users, members of its board, investors, and government officials.
The former official, Peiter “Mudge” Zatko, is a famous hacker and one of the nation’s top cybersecurity experts. He served as Twitter’s security lead from Nov. 2020 to Jan. 2022, when he was fired by CEO Parag Agrawal after Zatko began documenting what he says were repeated security violations, and as he worked with the company’s compliance officer on a formal investigation based on his claims.
Zatko submitted his disclosures to U.S. regulatory agencies in July, invoking federal whistleblower protections, and they were shared with members of Congress.
In 84 pages of disclosures and supporting documents, which TIME reviewed, Zatko accuses the $33 billion social-media platform’s top executives of violating the Federal Trade Commission Act and Securities and Exchange Commission regulations by misleading users, investors and board members about critical data security and privacy issues. These vulnerabilities led to frequent serious security breaches, exploitation by bad actors, and infiltration by foreign governments, Zatko alleges.
The documents shine a light on what Zatko alleges are years of basic security failings at Twitter, which he says make the platform vulnerable to abuse and even total collapse. Notably, the disclosures imply that the problems were allowed to fester under Agrawal, who was the most senior executive in charge of security issues before Zatko arrived. “If these problems are not corrected, regulators, media, and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics,” Zatko wrote in a Feb. 2022 document cited in the disclosure.
The disclosures come just weeks before the first scheduled court date in a legal dispute over the pending sale of the company to billionaire Elon Musk, who is seeking to extricate himself from an agreement to purchase the company. Musk claims Twitter misled him and investors about the percentage of spam bots and fake accounts that make up its user base. According to internal company emails submitted as part of the disclosures, Zatko began documenting Twitter’s alleged wrongdoings months before Musk publicly announced his desire to buy the company. The trial over whether Musk must go through with his initial agreement to buy Twitter is set to start on Oct. 17 in Delaware.
Zatko accuses Twitter executives of “lying about bots” to Musk, shareholders and Twitter users, alleging that the platform has far more spam accounts than it lets on, and that executives are disincentivized to count them properly because doing so would negatively affect their bonuses.
A Twitter spokesperson said the company had not seen Zatko’s allegations in full, but rejected a description of his main allegations. “Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” a Twitter spokesperson told TIME. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.“
Zatko’s disclosures allege the social media company’s executives committed securities law violations by making “material misrepresentations and omissions” in SEC filings, and asked him to mislead the board by minimizing security vulnerabilities. Zatko also says Twitter is beset by fundamental architectural flaws that allow too many employees “God mode” access to its systems, making the platform vulnerable to hackers and to influence by foreign intelligence agencies. His disclosures allege that Twitter executives hired two people whom he believes were Indian government agents and put them in positions with “direct unsupervised access” to internal Twitter data and information. This was just one example of Twitter’s “negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil and/or censor” the platform, its staff and its operations, Zatko alleges.
A source close to the company says that Zatko’s claims around the time of his exit were “investigated and found to be sensationalistic and lacking merit.”