Peiter “Mudge” Zatko, Twitter’s former head of cybersecurity who has alleged major security vulnerabilities and oversights at the company, testified before the Senate on Tuesday.
The cybersecurity veteran has detailed a litany of security vulnerabilities in a whistleblower complaint that first went public in August, including that the company had a serious breach about once a week in 2020 and that it had had little protection against so-called threats. from within, wherein a company is vulnerable to its own employees.
In his opening statement, Zatko said Twitter is “a decade behind industry security standards.”
“It’s not a stretch to say that an employee in the company could take over the accounts of all the senators in this room,” he said.
The cybersecurity practices of most tech companies are well-kept secrets, so it’s hard to compare Twitter to other tech companies. But in recent years, Twitter has suffered two of the biggest security incidents in the US tech industry. A handful of hackers took over high-profile celebrity accounts in 2020 to push for cybersecurity, leaving the site teased for several hours. And last month, a federal jury convicted a former Twitter employee for using his position at the company to pass information to the Saudi royal family.
Responding to a question from Senator Sheldon Whitehouse, DR.I., about how Twitter’s vulnerabilities could pose a threat to national security, Zatko described how lax security practices at Twitter could lead to users being harmed by identity thieves or government spies.
“Twitter internally determined in 2020 that they lost information on 200 million users for email addresses, phone numbers and other such information. This is the information you need to take over other people’s accounts,” he said.
“With your phone number and an email address, I can hijack your phone number. I can then change your Gmail, your Coinbase, your Ameritrade, your other accounts. That way I can cause financial damage. I can then assume your identity. But what? more importantly, I want to be able to understand your whereabouts, your network.”
After repeating a claim from his complaint that he was certain India had posted a spy as an employee to Twitter, Zatko also said it was likely China had infiltrated the company. He described an incident just before he was fired earlier this year in which the FBI warned that Chinese intelligence had an agent in the company.
Zatko said he wasn’t surprised by the warning given what he saw as Twitter’s lax oversight.
“Because it’s very difficult to detect them, it’s very valuable for a foreign agent to be in there,” he said.
Some Republican senators, such as John Kennedy, R-La., and Tom Cotton, R-Ark., have shifted the conversation from cybersecurity to accusations that Twitter is systematically biased against conservatives. studies have shown that is not the case. Zatko declined to answer some of those questions, saying it’s not part of his expertise at the company.
The testimonial comes as the future of Twitter remains up in the air. Twitter is fighting to make sure Elon Musk goes ahead with a $44 billion deal to acquire the company he has since tried to pull out of.
Musk has claimed that Twitter misled him, and Twitter has argued that it did no such thing and that the merger agreement does not contain any provisions related to issues Musk raised, such as the prevalence of fake accounts.
Twitter shareholders will vote Tuesday on whether or not to approve Musk’s offer. They are expected to approve the deal.
Musk has used Zatko’s allegations to try to persuade the Securities and Exchange Commission to intervene, while Twitter has contradicted that it has still not breached any of its merger obligations.
This is a story in development. Come back for updates.
Jason Abbruzzese contributed.