Twitter Accused of Prioritizing Profits Over Security: What You Need to Know

In a whistleblower complaint, Twitter's former head of security says the company isn't doing enough to fix its privacy, security and content moderation issues. He testified this week before US lawmakers.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
5 min read
Silhouettes of people at Twitter headquarters in front of a paneled white screen with the blue Twitter logo in the center

Twitter's former head of security is blowing the whistle on problems he found while working at the company.

James Martin/CNET

Twitter's chaotic year keeps getting worse.

Peiter "Mudge" Zatko, the former head of security at Twitter, has alleged in a whistleblower complaint that he uncovered "extreme, egregious deficiencies" by Twitter surrounding user privacy, security and content moderation.

Zatko, who Twitter fired in January, accuses the company, its executives and board of directors of violating federal law by making "false and misleading" to users and the Federal Trade Commission.

"Mudge spent 14 months pushing for improvements from the inside, and was terminated for his efforts," the complaint says. Nonprofit law firm Whistleblower Aid is representing Zatko and confirmed to CNET that the complaint is authentic. Zatko filed the 84-page complaint in July to the US Securities and Exchange Commission, Department of Justice and the FTC.

The allegations come at a tumultuous time for Twitter. The influential social media company is in a high-profile legal battle with billionaire Elon Musk after the Tesla and SpaceX leader tried to back out of a $44 billion deal to purchase Twitter. The tech platform sued Musk to complete the deal, and a five-day trial is scheduled for October. 

Musk is trying to use the whistleblower disclosure as part of his argument to bail on the deal. His legal team filed amended counterclaims against Twitter, made public Thursday, that allege the company's purported misrepresentations about its daily users "were only one component of a broader conspiracy among Twitter executives to deceive the public, its investors, and the government about the dysfunction at the heart of the company."

The amended counterclaims came days after the whistleblower testified before US lawmakers for the first time.

The whistleblower complaint not only raises questions about whether Twitter is doing enough to safeguard user privacy and security but it could also impact whether Musk gets forced to buy the platform.

Here's what you need to know:

Who is the Twitter whistleblower?

Zatko is a well-known hacker and longtime security expert who worked at DARPA (the research and development agency of the US Department of Defense) and Google before joining Twitter in 2020.

He created software that's still used today to test the strength of passwords. He's also been a part of influential hacking groups such as L0pht that testified before Congress in the 1990s on security issues.

Former Twitter CEO Jack Dorsey recruited Zatko to work at the social media company after teenagers hacked the high-profile Twitter accounts of Musk, celebrity Kim Kardashian and even Joe Biden, who at the time was the presumptive Democratic nominee for US president. 

What are the allegations in the complaint?

The complaint is lengthy and includes several allegations against Twitter, including that the company prioritized daily user growth over the platform's health and integrity.

Executives tried to hide bad news instead of trying to fix problems, possibly because they were rewarded financially for helping Twitter grow daily users, didn't know better or had help create the "broken systems," according to the complaint. 

Zatko alleges he uncovered various security and privacy problems at the company and brought it to the attention of executives in 2021. The company appeared to have a high rate of security incidents, some employees had disabled security and software updates on their devices and staff had too much access to user data, the complaint stated.

"Mudge identified there were several exposures and vulnerabilities at the scale of the 2020 incident waiting to be discovered, and reasonably feared Twitter could suffer an Equifax-level hack," the complaint says. In 2017, credit reporting company Equifax announced a major data breach that impacted 148 million Americans.

Instead, Zatko alleges he didn't get support to address these issues and received "stiff pushback" particularly from Parag Agrawal who is now Twitter's CEO. Agrawal was Twitter's Chief Technology Officer before he got promoted and the complaint notes that "Twitter's problems had developed under Agrawal's watch."

The complaint accuses Twitter of violating an 11-year-old settlement with the FTC by falsely claiming it had a comprehensive security program. Zatko alleges that his findings were worse than Dorsey feared and that the company had never complied with the FTC order and wasn't on track to do so.

The complaint also alleges Twitter lied to Musk about the number of spam bots on its platform and misled the FTC about fully deleting data of users who leave the service. Zatko also outlines threats to democracy and national security. Some of these threats include the Indian government forcing Twitter to hire government agents and the company becoming more dependent on revenue from Chinese entities, the complaint says.

What is Twitter's response to the allegations?

Twitter says that Zatko was fired because of "ineffective leadership and poor performance" and the company prioritizes security and privacy. 

"What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context," Twitter spokeswoman Rebecca Hahn told The Post. "Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders."

Twitter provided CNET with the same statement.

How are US lawmakers and regulators responding?

The complaint is already sparking scrutiny from US lawmakers.

Sen. Richard Blumenthal, a Connecticut Democrat, urged FTC Chair Lina Khan to investigate Twitter.

"These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public, as Twitter executives appeared to ignore or hinder efforts to address threats to user security and privacy," Blumenthal wrote in a letter to Khan.

The SEC and FTC declined to comment. The DOJ didn't respond to a request for comment. 

Zatko testified before a Senate panel on Tuesday, telling US lawmakers that the social media platform prioritized profits over the safety of its users.

"When an influential media platform can be compromised by teenagers, thieves and spies and the company repeatedly creates security problems on their own, this is a big deal for all of us," he said.

Will the complaint impact whether Musk is forced to buy Twitter?

It's possible. The complaint mentions that Zatko started to document evidence of fraud at Twitter in January before Musk offered to buy the company.

Watch this: Elon Musk vs. Twitter Bots: How Big Is the Problem?

Musk has accused Twitter of misrepresenting the number of false or spam accounts on its platforms. The complaint alleges that Musk is correct in that Twitter executives have little or no personal incentive to accurately detect or measure spam bots because they feared that it could harm the image and valuation of the company. 

On Aug. 23, Musk tweeted a meme that said "Give a little whistle."

Musk's lawyers have tried to use the complaint to push back the trial to a later date, but a Delaware Chancery Court judge overseeing the case denied that request last week. The judge, though, did rule that Musk could amend his counterclaims against Twitter to include the whistleblower disclosures.

Musk's lawyers have also subpoenaed Zatko and have tried multiple times to use the whistleblower complaint to end the merger agreement. On Aug. 29, his lawyers alleged that the company violated the merger agreement because it didn't disclose a $7 million June settlement with Zatko or seek Musk's consent for that action. Twitter didn't respond to questions about Musk's allegations. Twitter shareholders voted on Tuesday to approve the Musk takeover deal, and the legal battle is still ongoing.