Whistleblower Peiter 'Mudge' Zatko Slams Twitter’s Cybersecurity

Twitter’s former head of security Peiter “Mudge” Zatko has come forward as a whistleblower, alleging that the company grossly mismanages its cybersecurity.

Zatko worked at Twitter for less than two years. The company allegedly fired him after he attempted to notify the board of executives of major cybersecurity gaps. Now, Zatko — a well-known hacker with a history of working for the government — is coming clean about the real issues.

Zatko filed an official complaint about Twitter’s cybersecurity problem with the SEC, Federal Trade Commission (FTC), and Department of Justice (DOJ) as a publicly named whistleblower, according to documents obtained by The Washington Post.

The complaint says Zatko saw “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy” during his time at Twitter.

Zatko alleges Twitter suffered 40 cybersecurity incidents in 2020, “70 [percent] of which were access control-related” and half of which were considered official breaches.

Zatko points out numerous alleged wrongdoings at Twitter headquarters:

• Twitter source code lives on the devices of thousands of employees.

• Many devices block automatic security updates and firewalls.

• Many devices remotely access non-approved activities.

• Twitter fails to closely monitor employee activity on work computers, leading to employees “intentionally installing spyware on their work computers at the request of external organizations,” according to Zatko.

• Approximately 5,000 employees can access and edit internal software.

• Much of the stored data at data centers isn't encrypted.

Zatko says he “reasonably feared Twitter could suffer an Equifax-level hack” during his time at the company. The 2017 Equifax data breach left 147.9 million Americans vulnerable (the U.S. ultimately indicted Chinese military members for the hack).

Interestingly, Zatko says bots may actually rule Twitter and that the company isn't equipped to fully understand the breadth of the issue.

In response to the whistleblower complaint, Twitter spokesperson Madeline Broas told reporters the following statement:

“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Twitter founder and former CEO Jack Dorsey recruited Zatko himself after a highly publicized 2020 hack that left multiple high-profile accounts (including Bill Gates, Elon Musk, and former President Barack Obama) vulnerable.

For decades, Zatko has been helping close cybersecurity holes for federal and associated organizations, leading to his 2013 Office of the Secretary of Defense Exceptional Public Service Award.

In true cybersecurity expert fashion, an accurate measure of his estimated net worth isn't available. Estimates range from 7–8 figures, but at this point, only Zatko knows the true scope of his assets.