Whistleblower claims Twitter is lying about user privacy, bots, security, and more

According to the whistleblower, around half of Twitter's employees allegedly have access to sensitive user data.
Phone screen with Twitter's profile page displayed
Things just got a lot more hectic over at Twitter HQ. Deposit Photos

Pieter “Mudge” Zatko—one of the most respected names within hacking circles and the cybersecurity industry—just made life much harder for Twitter. In detailed, damning whistleblower complaints first published by The Washington Post and CNN earlier today, the social media platform’s former security chief alleges that the company has hidden reckless and lax security policies from the public, failed to properly assess its longstanding bot problem, as well as broken promises made to federal regulators and its own board of directors over a decade ago regarding user privacy guarantees.

Describing the issues as “extreme, egregious deficiencies,” Zatko also claims current Twitter CEO Parag Agrawal fired him earlier this year after Zatko’s repeated attempts to address the problems. Zatko was hired by former company CEO and co-founder Jack Dorsey in 2020 following the infamous hacking of multiple high-profile Twitter accounts including Bill Gates, Elon Musk, Kanye West, and Barack Obama.

[Related: Unpacking the bot issue behind the Twitter-Musk drama]

“This would never be my first step, but I believe I am still fulfilling my obligation to Jack and to users of the platform,” Zatko told The Washington Post, adding that he hoped “to finish the job Jack brought me in for, which is to improve the place.”

In the more than 200 pages of redacted documentation published between The Washington Post and CNN, Zatko provides federal regulators with numerous allegations of malfeasance and misdirection in pursuit of profit. Of the roughly 7,000 people employed by Twitter, around half of them allegedly have access to both sensitive user data like phone numbers, as well as the company’s own internal software controlling how the platform actually functions. According to Zatko, none of this access is closely monitored, nor are the potential thousands of laptops containing copies of Twitter’s entire source code.

Despite heavy fines and a 2010 agreement with regulators to better protect users’ personal information, Twitter has been accused of consistently misleading its users and the Federal Trade Commission regarding any ensuing reforms. These security lapses allegedly even at one point included the hiring a government agent at the pressure of the Indian government who subsequently had “access to vast amounts of Twitter sensitive data.”

And then there are the bots. Spam accounts have long been an issue for Twitter, although the company has consistently maintained they comprise less than 5 percent of all users. Zatko contends the company’s calculations are willfully inaccurate, and that executives are actually given bonuses as large as $10 million to increase user totals.

It’s unclear how this could potentially influence Elon Musk’s ongoing legal battle with Twitter over imploding efforts to purchase the company earlier this year. Despite initially claiming he wanted to buy the social media platform in part to work on its bot issues, Musk soon attempted to backpedal, arguing the company was withholding accurate statistics. Reports however indicate Musk scheduled a deposition with Zatko before the latter’s whistleblower complaints went public.