Peiter 'Mudge' Zatko: CSO-turned-whistleblower says Twitter security was in a shambles

The former head of security at Twitter details its many alleged security failings, from access control, to smartphones, desktops, servers, and the company's data center.
Written by Liam Tung, Contributing Writer
Image: Getty

The former chief of security at Twitter has filed a whistleblower testimony that its physical and digital security systems for protecting user privacy and moderating content suffered extreme deficiencies. 

Peiter 'Mudge' Zatko was hired as Twitter's chief security officer by company co-founder Jack Dorsey in November 2020, but was terminated in January 2022 by current CEO Parag Agrawal, who assumed that role after Dorsey stepped down in November 2021. 

Also: How to secure your Twitter account without two-factor authentication

Zatko filed his 86-page redacted report to the Securities and Exchange Commission in July. The report suggests Twitter security was in a shambolic state in 2021, some 10 years after the Federal Trade Commission settled with Twitter over security deficiencies.

Amongst the claims in the report is the suggestion that, in 2021, over half of Twitter's 500,000 data center servers were running non-compliant kernels or operating systems, and that many of them couldn't support encryption at rest on the servers. 

SEE: These are the biggest cybersecurity threats. Make sure you aren't ignoring them

The report also suggests that more than 30% of employee computers had "disabled software and security updates", there was no mobile device management (MDM) system for employee phones, and that staff were "virtually unmonitored" for the risk of insider threats. Despite this, Zatko claims about half of Twitter's 10,000 employees were given access to sensitive live production systems and user data. 

Another claim made by Zatko relates to Twitter's data center capabilities: according to the former CSO, Twitter faced a cascading data center failure in spring 2021 that was "on the verge of taking Twitter offline for weeks, months or permanently". Zatko says he had warned the board months earlier and that Argawal had misled the board. 

Twitter also lacked development and testing environments for new code, Zatko claims, meaning engineers "use live production data and test directly on the commercial service, leading to regular serve disruptions." On January 6, 2021, the day of the attack on the US Capitol Building, Zatko says all engineers had access to Twitter's production environment, and yet there were no logs for record system access. 

Zatko has accused Twitter of making false and misleading statements to users about the platform's security, privacy and integrity. He claims that, in December 2021, Argawal instructed him to provide misleading documents regarding "vital information security natters" to Twitter's board of directors. Zatko also says Twitter was complicit with foreign government requests to exploit, surveil and censor Twitter's platform, staff and operations.   

Twitter says Zatko's report is riddled with inconsistencies and inaccuracies, and that he was terminated for "ineffective leadership and poor performance" (via The Verge).

Bots and $44 billion bids 

Zatko is well-known in the cybersecurity industry. Before joining Twitter, he held senior cybersecurity roles at Google, Stripe, and within the Department of Defense's DARPA. 

His report may affect Elon Musk's ongoing legal battle with Twitter over Musk cancelling his $44 billion takeover bid over claims Twitter has a bigger bot problem than it admits. Argawal claims less than 5% of Twitter accounts are bots. However, Zatko claims senior executives at Twitter earn bonuses for growing mDAU (monetizable daily active Twitter users), not for weeding out bots and spam. 

"Argawal knows very well that Twitter executives are not incentivized to accurately 'detect' or report total spam bots on the platform," the report reads.

SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today

The FTC settled with Twitter in 2011 to resolve charges that Twitter deceived consumers about privacy by failing to protect their personal information. Hackers had gained control of the Twitter platform twice in 2009, according to the FTC's complaint. The settlement ordered Twitter to have a comprehensive information security program to identify, prevent, detect and respond to cyberattacks. The terms of the consent order are in effect until March 2031. 

Mudge reportedly found Twitter had made little progress on security since the FTC's consent order. In the year prior to Zatko's appointment at Twitter, the company was hacked by teenagers who got employee passwords by calling some of them and asking for them. It gave the attackers access to Twitter's admin panel and give them near-free rein over the platform.

Editorial standards