Whistleblower tells Congress that Twitter has a spy problem

Peiter 'Mudge' Zatko, Twitter's former security chief, offered Congress a litany of alleged issues within the company.
Twitter app download screen displayed on iPad
The headaches just keep coming for Twitter. Souvik Banerjee/Unsplash

A respected longtime figure within the hacking and infosec communities testified in front of Congress yesterday on a number of grave whistleblower complaints filed against his former employer, Twitter. Among other damning issues, Peiter Zatko (known as “Mudge” in the cybersecurity world), who was Twitter’s security lead from July 2020 to January 2022 , claimed that the FBI once warned the major social media platform it had unwittingly hired a Chinese spy as an employee, alongside similar incidents with both Indian and Saudi Arabian agents. Zatko also alleged that the accounts of every member of Congress—and the wider public, for that matter—were highly susceptible to cyberattacks at any moment given major lapses in Twitter’s security protocols.

“It doesn’t matter who has keys if you don’t have any locks on the doors. It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room,” Zatko said during at one point during his nearly two-and-a-half hour testimony. During his interview, he also explained that Twitter’s estimated 4,000 engineers have consistent access to private user data such as phone numbers and IP addresses. As such, they are in prime positions for infiltration from bad actors and hostile foreign governments

[Related: Whistleblower comes forward with Twitter security claims.]

Zatko, a former Department of Defense employee, also alleges that Twitter’s top executives are well aware of these numerous security issues, but are slow to deal with any of them. Instead, he claims that they purportedly mislead the public, Congress, federal regulators, and even members of its board of directors. “They don’t know what data they have, where it lives, and where it came from, and so, unsurprisingly, they can’t protect it,” said Zatko.

Zatko argues that Twitter’s issues largely stem from being so far behind in cybersecurity, and a failure to properly update and maintain the systems required to protect its own data. “This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure, the engineering, and the engineers not being given the ability to put things in place to modernize,” he explained.

[Related: Unpacking the bot issue behind the Twitter-Musk drama]

The latest whistleblower complaints come as Twitter faces increasing pressure from lawmakers and regulators over numerous issues ranging from security, to curbing misinformation, to even how it keeps track of the countless bots plaguing the platform. Elon Musk made headlines earlier this year after announcing his intentions to buy the company outright, but quickly reneged citing those aforementioned bot issues. Although critics argue his reasoning for dropping the deal doesn’t hold up to much scrutiny, these and other ensuing battles all but ensures Twitter has a long legal road ahead of it.