Twitter's last security chief blasts service over 'grossly negligent' security

Filed in July with the Securities and Exchange Commission, Department of Justice, and the FTC, the complaint accuses Twitter of having "extreme, egregious deficiencies" when it comes to security.

According to Zatko, in the filing seen by the Washington Post, Twitter is failing to live up to a 2011 settlement with the FTC, by saying it had a solid security plan in place. This included implementing various security safeguards to protect users, but Zatko believes Twitter failed on this point.

The failures include an allegation he warned other colleagues that half the servers run by the company ran on out-of-date and vulnerable software. There was also a claim that executives withheld information about breaches and a lack of user data protection from directors, and instead focused on charts covering less important changes.

Thousands of employees also still have access to core software, access that was also poorly tracked. That situation led to years of hacks of high-profile accounts, such as Elon Musk and of former U.S. presidents, via the social engineering of employees.

"Twitter is grossly negligent in several areas of information security," said Zatko. "If these problems are not corrected, regulators, media, and users of the platform will be shocked when they inevitably learn about Twitter's severe lack of security basics."

Zatko hopes his whistleblowing will introduce more scrutiny and accountability, forcing the company to improve itself.

"I still believe that this is a tremendous platform, and there is huge value and huge risk," he concludes. "I hope that looking back at this, the world will be a better place, in part because of this."

There is also a claim that Twitter prioritized user growth over the culling of spam, with bonuses linked to increases in the number of daily active users. However, there weren't bonuses or incentives for reducing spam.

The ex security chief also had trouble determining the number of bots on the service, with ad-related bot counting only happening since 2019, and oddly continually estimated to be less than 5%.

A source within Twitter told Zatko that the company was not keen to work out the real number of bots due to the potential harm to the "image and valuation of the company." Such a complaint could play into legal proceedings between Twitter and Elon Musk over a failed $44 billion purchase.

After announcing an intent to purchase in April, Musk halted the deal while user metrics and spam accounts were checked by his team. Misk then threatened to walk away, accusing Twitter of being unable to prove its sub-5% fake user account claim.

Musk filed to exit the deal in July, prompting Twitter to sue. Twitter and Musk's legal teams will be meeting in court in October over the affair.