Twitter Whistleblower Warns on Security
The Washington Post and CNN have published an exposé that alleges “reckless and negligent cybersecurity policies” at Twitter. The piece was based on a whistleblower’s disclosure to Congress and federal agencies.
Who is the Twitter whistleblower?
The Twitter whistleblower is Peiter “Mudge” Zatko, the company’s former head of security. Zatko is a noted security expert and researcher. He was hired by the social media giant in the wake of the July 2020 Twitter hack.
Twitter terminated Zatko’s employment in January 2022. Zatko says this was a response to his efforts to point out Twitter’s security flaws and get the company to address non-compliance with an earlier Federal Trade Commission (FTC) agreement on privacy. In a statement to CNN, a Twitter spokesperson said that the company fired Zatko due to “ineffective leadership and poor performance.”
What are Twitter’s security issues?
Zatko claims that Twitter is guilty of serious cybersecurity lapses — and that company leadership has attempted to cover them up. According to Zatko, these issues include:
- An excessive number of Twitter employees with access to critical platform controls.
- A failure to properly log the activity of software engineers active in Twitter’s production environment.
- A high number of employees using devices that fail to meet basic cybersecurity standards.
- A vulnerable server infrastructure (Zatko says nearly half of the company’s servers run outdated software that does not support adequate encryption and cannot be updated by vendors).
- Insufficient backup and recovery preparations to deal with a severe data center crash.
- A failure to reliably delete user data after a user closes their Twitter account.
- A platform vulnerable to manipulation by foreign governments (Zatko goes as far as to suggest that Twitter may have foreign intelligence assets working for them directly).
- A large amount of bot accounts on the platform — which Twitter reports in a way that intentionally obscures the scale of the problem.
- Requests from company leadership for Zatko to downplay Twitter’s security issues in his report to the board of directors.
How does this affect Twitter users?
It’s not possible to say how the issues mentioned in the disclosure really affect Twitter users — because at this stage, these are just alleged cybersecurity lapses. Twitter has strongly denied that Zatko’s accusations are accurate, and has offered rebuttals to several of his points.
Still, if even some of these issues are real, Twitter users are at risk. The platform that they and their friends use may be vulnerable in terms of security, stability, and data backup. Their ability to delete their own data may be uncertain. And the governments foreign adversaries — as well as garden-variety scammers and spammers — may be using the platform against them.
Only time will tell what the government finds to be true. But in the meantime, here are four tips for staying safe on Twitter:
Protect your account
All platforms can have security vulnerabilities — and sometimes, bad actors find ways to exploit these weaknesses. Protect your Twitter account from takeovers with a strong, unique password. And make sure to enable two-factor authentication. That way, even if your password is compromised, your account will still be secure.
Limit your exposure
Don’t use Twitter for secure communications or to store highly sensitive data, and limit the amount of personal data that you share with the platform. Use an end-to-end encrypted messaging app for secure comms. Keep private data safe using the secure notes feature of a password manager app or an encrypted hard drive. And remember that data deletion basically works on an honor system — so don’t share anything with Twitter that you wouldn’t want hanging around on their servers if you cancel your account.
Beware of bots
Be aware that there are lots of fake accounts on Twitter and other social media platforms. Some are used by foreign governments to influence politics. Others belong to scammers. General rule? Never assume that an unknown account on Twitter is an actual person. Take tweets from unfamiliar accounts with a large grain of salt. And learn about disinformation on social media so that you’ll know it when you see it!
Be skeptical of odd requests
People’s social media accounts get taken over all the time; if a platform has security problems, that’s even more likely to happen. Be wary of any request for information or link that comes to you over Twitter. And keep in mind that even Twitter verified accounts can be taken over and used to spread scams. Similarly, if a personal contact on Twitter messages you with an urgent request for help, or even if they’re just asking you something that seems out of the ordinary, be on guard. Instead of answering right away, reach out to them by phone first to confirm that the message really came from them.