Twitter Still Has Security Flaws After Musk Takeover, Whistleblower Alleges

An ex-Twitter employee raised concerns that too many workers have the ability to tweet under any account.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
3 min read
A phone shows Twitter's bird logo, with imagery of a gunshot shattering glass

Billionaire Elon Musk bought Twitter in 2022 for $44 billion.

James Martin/CNET

Twitter's security woes are far from over. 

A new Twitter whistleblower alleges in a complaint filed in October the platform hasn't fixed security problems even after pledging to do so following a major breach in 2020. That year, teenagers hacked the accounts of politicians, celebrities and other high-profile figures, including former President Barack Obama and tech billionaire Elon Musk to spread a cryptocurrency scam. Twitter said publicly in a blog post that it limited access to its internal systems and tools while it investigated the attack. 

The whistleblower, a former Twitter engineer, is concerned about an internal program that allows employees to tweet under any account. One Twitter employee estimated that roughly 4,000 employees had access to this program, once known as "GodMode." The existence of the program shows that "Twitter's public statements to users and investors were false and/or misleading," the anonymous whistleblower states in the 24-page complaint. Nonprofit law firm Whistleblower Aid filed the complaint to the Federal Trade Commission and the US Department of Justice. 

"Our client has a reasonable belief that the evidence in this disclosure demonstrates legal violations by Twitter," the complaint said.

The Washington Post, which interviewed the whistleblower, reported earlier on the allegations. The former Twitter employee, who requested anonymity because of harassment and safety concerns, told The Post that Twitter created the "GodMode" program so workers could tweet for some advertisers. Twitter engineers renamed the program to "privileged mode" following internal backlash, the whistleblower told The Post. The whistleblower reportedly told Congress and the FTC that Twitter engineers can still access this program today. Twitter didn't respond to a request for comment.

The whistleblower also filed another complaint in September with the FTC and the US Department of Justice, raising similar concerns about the amount of access employees had to Twitter accounts. In that complaint, another Twitter engineer told the whistleblower that they discovered in 2020 that workers could tweet as any account and brought up the same concern two years later.

A congressional staffer shared the September and October complaints with CNET.

The latest allegations could spark more scrutiny from lawmakers and regulators during a chaotic time for Twitter. Before Musk closed a deal to buy Twitter for $44 billion last year, Twitter's ex-security head Peiter "Mudge" Zatko outlined several security issues at the company, including allegations that employees had too much access to user data. Twitter fired Zatko, who joined the company after the 2020 security breach. In the complaint, Zatko accused Twitter of violating an 11-year-old settlement with the FTC. Twitter said Zatko's allegations were "riddled with inconsistencies and inaccuracies and lacks important context." Whistleblower Aid is also representing Zatko.

After Musk's takeover, the company cut half of its workforce, dissolved its Trust and Safety Council, and made other drastic changes that have raised questions about how well Twitter will be able to handle security problems and content moderation issues. Twitter users have also complained that an extra level of account security known as two-factor authentication isn't working properly. 

The FTC declined to comment on the latest whistleblower complaint. The whistleblower has also met with the Senate Judiciary Committee and the House Energy and Commerce Committee, The Post reported.

On Wednesday, Rep. Jan Schakowsky, an Illinois Democrat, said in a statement that the latest whistleblower allegations "highlight that technology companies are routinely failing to protect the security and privacy of consumers' data." She urged Congress and regulators to pass legislation to help safeguard consumer data.

"I am particularly concerned about Twitter users' data, as well as the potential impact of the debts Elon Musk owes to foreign powers," she said in the statement. "Musk's leadership has been tumultuous."

Kyle Gardiner, associate counsel for Whistleblower Aid, said in a statement that whistleblowers play a "vital role in exposing what big tech companies have managed for too long to hide from the public and regulators."

"As these whistleblowers become more numerous and impactful, our hope is that big tech companies recognize that transparency and accountability are a better way to operate than breaking the law and endangering their users," Gardiner said.