Peiter “Mudge” Zatko, the company’s former head of security who reported directly to the CEO, claimed that leadership misled board members and government officials about potential vulnerabilities that left the platform open to hacking, foreign manipulation, and spying. He also claimed that one or more current employees are working for a foreign intelligence agency.
“All engineers had access. There was no logging of who went into the environment or what they did,” Zatko wrote. “Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”
Zatko claimed that Twitter CEO Parag Agrawal, who entered his position upon the exit of Jack Dorsey last year, discouraged Zatko from accurately reporting cybersecurity shortfalls to the board of directors and instead told him to offer misrepresented data.
The whistleblower disclosure totaled roughly 200 pages and was sent to the Securities and Exchange Commission, the Federal Trade Commission, and the Department of Justice, as well as multiple congressional committees. Twitter rejected the claims of the report, which CNN obtained from a senior Democratic staffer, and said that Zatko was fired due to “ineffective leadership and poor performance” earlier this year.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a Twitter spokesperson told CNN. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Zatko alleged that Twitter officials do not have the resources or motivation necessary to determine the number of bots on the platform — a matter central to a legal battle over Elon Musk’s proposal to purchase Twitter, which the billionaire is trying to nix after claiming that executives repeatedly failed to offer a valid estimate for the number of monetizable daily active users (mDAU).
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Alex Spiro, an attorney for Musk, told CNN.
Earlier this week, Musk subpoenaed Dorsey for documents related to “the impact or effect of false or spam accounts on Twitter’s business and operations,” as well as information about “any process or workflow, other than the mDAU Audit and the suspension workflow, that Twitter uses, has used, or has discussed or considered using to detect and label accounts as spam or false.”
Musk has said that the true number of bots could number as high as 33% rather than the company’s reported 5%, as a lower number of legitimate users could justify a lower company valuation. A trial to determine the status of the acquisition deal is slated to occur in October.
Musk recently floated the idea of refurbishing the website X.com as a new social media platform if the Twitter deal does not come to fruition. In 1999, the entrepreneur co-founded X.com as an online bank before it merged with Cofinity to become PayPal. Musk repurchased the domain name in 2017 since it has “sentimental value.”