Peiter “Mudge” Zatko, Twitter’s former head of cybersecurity who has alleged major security vulnerabilities and oversights at the company, testified before the Senate on Tuesday.
The cybersecurity veteran detailed a litany of security concerns in a whistleblower complaint that first became public in August, including that the company suffered a significant breach about once a week in 2020 and that it has had little protections against so-called insider threats, in which a company is vulnerable to its own employees.
In his opening statement, Zatko said Twitter was “a decade behind industry security standards.”
“It’s not far-fetched to say that an employee in the company could take over the accounts of all of the senators in this room,” he said.
Most tech companies’ cybersecurity practices are tightly held secrets, so it’s difficult to compare Twitter’s to other tech companies. But in recent years, Twitter has suffered two of the U.S. tech industry’s biggest security incidents. A handful of hackers took over high-profile celebrity accounts in 2020 to urge cybersecurity, causing bedlam on the site for several hours. And last month, a federal jury convicted a former Twitter employee of using his position at the company to feed information to the Saudi royal family.
Responding to a question from Sen. Sheldon Whitehouse, D-R.I., about how Twitter’s vulnerabilities could constitute a national security threat, Zatko described how lax security practices at Twitter could lead to its users being harmed by identity thieves or government spies.
“Twitter in 2020 internally assessed that they lost information on 200 million users for email addresses, phone numbers, other information like that. This is the information that you need in order to start taking over other people’s accounts,” he said.
“With your phone number and an email address, I can hijack your phone number. I can then change your Gmail, your Coinbase, your Ameritrade, your other accounts. I can cause financial harm that way. I can then assume your identity. But more importantly, I want to be able to understand your whereabouts, your network.”
After reiterating a claim from his complaint that he was confident that India had placed a spy as an employee at Twitter, Zatko also said it was likely China had infiltrated the company. He described an incident just before he was fired earlier this year where the FBI warned that Chinese intelligence had an agent in the company.
Zatko said he was not surprised by the warning given what he saw as Twitter’s lax oversight.
“Because it’s very difficult to detect them, it is very valuable to a foreign agent to be inside there,” he said.
Some Republican senators like John Kennedy, R-La., and Tom Cotton, R-Ark., shifted the conversation from cybersecurity to allegations that Twitter is systemically biased against conservatives, though studies have shown that isn’t the case. Zatko declined to answer some of those questions, saying it wasn’t part of his expertise at the company.
The testimony comes as Twitter’s future remains up in the air. Twitter is fighting to ensure that Elon Musk will go through with a $44 billion deal to acquire the company that he has since sought to back out of.
Musk has claimed that Twitter misled him, and Twitter has argued that it did no such thing and that its merger agreement has no provisions regarding issues Musk raised such as the prevalence of fake accounts.
Twitter shareholders are voting Tuesday on whether to approve Musk’s bid. They are expected to approve the deal.
Musk has used Zatko’s allegations to try to convince the Securities and Exchange Commission to step in, while Twitter has countered that it has still not violated any of its merger obligations.
This is a developing story. Please check back for updates.
Jason Abbruzzese contributed.