The ex-worker, who Twitter says was fired for poor performance, warns of obsolete servers, software vulnerable to computer attacks.
Twitter misled users and US regulators about “extreme, egregious” gaps in its online protections, the platform’s ex-security chief claimed in whistleblower testimony that could impact the court fight over Elon Musk’s buyout bid.
Peiter Zatko’s complaint, which was published Tuesday by US media, also accused Twitter of significantly underestimating the number of fake and spam accounts — a crucial point in Musk’s argument for trying to cancel his $44 billion deal to own the platform.
Zatko’s filing to authorities including market watchdog Securities and Exchange Commission accuses Twitter of “negligence, willful ignorance, and threats to national security and democracy.”
The ex-worker, who Twitter says was fired for poor performance, warns of obsolete servers, software vulnerable to computer attacks and executives seeking to hide the number of hacking attempts, both from US authorities and from the company’s board of directors.
The hacker-turned-executive, who goes by the nickname “Mudge,” also claims that Twitter prioritizes growing its user base over fighting spam and bots, the filing says.
In particular, Zatko accuses the platform and its CEO Parag Agrawal of issuing untrue statements on account numbers because “if accurate measurements ever became public, it would harm the image and valuation of the company.”
His filing argues that because Twitter reports a tally of users based on who can be reached by advertising — not the actual number of accounts — the true magnitude of spam bots is effectively unknown to the public.
Twitter fired back at its former worker, saying Zatko was fired in January for “ineffective leadership and poor performance.”
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the firm said in a statement.
The “opportunistic timing” of the allegations appears “designed to capture attention and inflict harm on Twitter, its customers and its shareholders,” the statement continued.
A redacted version of the filing was dated July 6, nearly a week before Twitter launched its lawsuit to try to force Musk to close the buyout deal and which is set for trial in mid-October.
Zatko’s legal team called the characterizations of his work and departure from Twitter as “false”, noting he was fired after clashing with the new CEO Agrawal.
‘Dangerous security risks’
The issue of fake accounts is at the heart of the legal battle between Twitter and Tesla chief Musk.
The billionaire has repeatedly accused the company of minimizing the number of bot accounts on its platform, and he tweeted Tuesday “spam prevalence *was* shared with the board, but the board chose not disclose that to the public…”
Musk is relying on the bot argument to justify abandoning his buyout deal and avoid paying severance, but Twitter’s lawsuit has asserted that it’s too late because the parties already have an agreement.
CNN reported that Zatko has not been in contact with Musk, and that he had begun the whistleblower process before there was any sign of the billionaire’s involvement in Twitter.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Musk’s lawyer Alex Spiro told AFP.
The markets were not thrilled with Tuesday’s news and Twitter shares closed down over seven percent for the day.
Zatko was hired in late 2020 by the founder and former boss of Twitter, Jack Dorsey, after a massive hack that saw the accounts of major users including Joe Biden, Barack Obama, reality star Kim Kardashian and Musk himself compromised.
Before joining Twitter, Zatko held senior positions at Google and payments processing firm Stripe as well as DARPA, the technological research arm of the Pentagon.
US lawmakers immediately raised concerns about the allegations in Zatko’s filing and have pledged to look into them.
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Senator Dick Durbin said in a statement.