Twitter whistleblower alleges major security lapses at social media firm

Twitter has substantial security problems that place personal user data and potentially national security at risk according to a former company executive turned whistleblower, it has been reported.

According to a disclosure sent to the US Congress and federal agencies last month and obtained by CNN and the Washington Post, Twitter’s former head of security claims the company allows too many people to access the platform’s central controls and some sensitive information.

Peiter “Mudge” Zatko, who was sacked by Twitter in January, has claimed some of the company’s senior executives have been trying to cover up serious security vulnerabilities and that one or more current employees may be working for a foreign intelligence service.

According to reports, Mr Zatko’s disclosure alleges that Twitter executives have misled its own board and US regulators about security vulnerabilities, and that the platform could be susceptible to foreign interference or spying and hacking.

His claims include allegations of poor basic security practices, with as many as thousands of staff members able to access the sensitive central controls of the platform and a lack of transparency around who has accessed what data and when.

In addition, it has been reported the disclosure claims that Twitter does not have the ability to fully calculate the true number of bot or fake accounts on the platform – an issue which has become central to billionaire Elon Musk’s protracted and now stalled takeover which is currently heading for trial in the US in October, with Twitter looking to force through the £37.4 billion deal.

Mr Zatko’s lawyer told CNN that the whistleblower had not been in contact with Mr Musk and that Mr Zatko had started the whistleblowing process before there was any awareness of Mr Musk’s attempts to buy the platform.

The disclosure also claims the US government provided specific evidence to Twitter shortly before Mr Zatko left the company that at least one of its employees was working for another government’s intelligence service.

However, the whistleblower’s report does not state whether Twitter was already aware of this or if subsequent action was taken.

Mr Zatko said he had attempted to raise the alleged security lapses with Twitter’s board and claims his public whistleblowing comes after those attempts failed.

In response, Twitter disputed Mr Zatko’s account of the company’s practices.

“Mr Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” a Twitter spokesperson said.

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.

“Mr Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”