Twitter whistleblower releases scathing report on company's security and privacy practices

2025-04-28 09:09:20admin

An ex-Twitter executive is spilling the beans on the company's cybersecurity and privacy practices.

Peiter "Mudge" Zatko, former head of security at Twitter, spoke to CNN and The Washington Post, claiming that not only did his former company have a number of cybersecurity issues, it also deliberately misled its board of directors about them.

Among other security issues, Zatko claims the following (detailed in a 200-page disclosure sent to Congress and U.S. government agencies in July, and obtained by the news outlets):

Twitter gave thousands of company employees access to some of its most critical controls, which made it "impossible" to adequately protect the platform.
Twitter had minimal control over or visibility into employees' individual company computers.
About half of Twitter's servers run on outdated software.

Perhaps even more serious are Zatko's claims on how Twitter handles privacy.

Most notably, Zatko claims that Twitter has "never been in compliance" with the demands the Federal Trade Commission (FTC) made from the company back in 2011. Twitter then settled with the FTC over a privacy complaint which has shown that the company failed to safeguard its users' private information. Under the terms of the settlement, Twitter was barred for the next 20 years from "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information." Had Twitter failed to do so, it could result in further fines.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

SEE ALSO: Can the courts force Elon Musk to buy Twitter now that he doesn't want it?

Specifically, Zatko alleges that Twitter does not always reliably delete a user's data after they've cancelled their account, the report says, "in some cases because the company has lost track of the information."

Related Stories

How to keep your Twitter account safe using two-factor authentication (2FA)
How to DM on Twitter
How to delete a tweet and a retweet
How to see what Twitter Lists you're on
How to hide replies on Twitter

Zatko's claims come at a difficult time for Twitter, as the company is about to start a legal battle over Elon Musk's takeover bid. In his disclosure, Zatko touches on a topic that Musk has claimed is pivotal in this case — the number of bots on Twitter's platform. Zatko alleges that Twitter deliberately misreports the number of bots and spam accounts on its platform (which Musk also claims), and further claims that Twitter doesn't even have the proper resources to measure this number. Twitter claims "false or spam" accounts make up less than 5 percent of the platform.

John Tye, Zatko's lawyer and founder of Whistleblower Aid (an organization that assisted Facebook whistleblower Frances Haugen and is now representing Zatko), told CNN Zatko has not been in contact with Musk, and that he began the whistleblower process before Musk's takeover bid kicked off.

Zatko was fired by Twitter in January 2022. In a statement given to the news channel, Twitter said he was fired for "poor performance and ineffective leadership." As for his claims, Twitter called them "a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context."