Twitter: “extreme deficiencies” in security

In late 2020, Jack Dorsey, founder and then-CEO of Twitter, hired Peiter Zatko, a.k.a. Mudge, a cybersecurity pioneer and one of the first ethical hackers, as the social network’s security director.

In January 2022, Twitter’s new executive management, led by Parag Agrawal, fired him for « poor performance ». In an investigation that was revealed in late August 2022, Peiter Zatko blew the whistle and said that he had sent the US Justice Department, FTC and SEC a 200-page document listing Twitter’s « extreme deficiencies » in security.

In particular, he explained how a significant number of employees (around half, i.e., thousands of people) have access to the social network’s most critical control features. A customer service employee could use this to delete anyone’s Twitter account!

Additionally, all engineers have permanent access to Twitter’s production environment with no dedicated development environment: all changes are released directly into production without logs of access or the actions performed, so there isn’t the slightest trace of who does what.

This is also the case for personal data: for example, no engineer at Twitter knows exactly what happens to them if a user decides to erase them.

Peiter Zatko also pointed out serious cybersecurity breaches, with 4 out of 10 workstations at Twitter being poorly secured: half of its 500,000 servers run on obsolete software, without data encryption at rest or security updates, and insufficient redundancies.

Given the seriousness of these deficiencies and the potential consequences, several US senators have said they would look into the matter.