Renowned Hacker Mudge Turns Twitter Whistleblower, Alleges Massive Security Issues

Twitter’s former head of security has now turned whistleblower and alleged in multiple media interviews and documents provided to Congress and law enforcement agencies that the social media giant has a slew of serious cybersecurity problems. These issues include insider threats, where malicious employees leverage their data access for their own benefit, sometimes to spy or harass, were virtually unmonitored, and that Twitter did not take corrective actions even when informed of abuses.

The whistleblower is Peiter Zatko, an infamous and highly respected hacker also known as "Mudge," who has acted as a bridge between the hacking community and government for decades. Zatko has previously testified in front of Congress and went on to work for DARPA.

“During Mudge’s employment, he uncovered extreme, egregious deficiencies by Twitter in every area of his mandate including (as described in detail below) user privacy, digital and physical security, and platform integrity/content moderation,” a document written by the group Whistleblower Aid, which is representing Mudge, reads. Because of the multiple issues, Mudge feared that Twitter “could suffer an Equifax-level hack,” the document, a copy of which was disclosed to Congress, adds.

The document says Mudge found numerous privacy issues, including misuse of vast internal datasets; mishandling of personally identifiable information, including marketing campaigns based on user email addresses and phone numbers which were designated for security purposes (in 2019, Twitter said it used phone numbers for advertising purposes that was supposed to be only used as a means of two-factor authentication).

Mudge also said that more than 50 percent of Twitter’s 500,000 data center servers were running non-compliant operating systems or kernels, which are the heart of an operating system and are especially important to keep up to date. Many of those were unable to support encryption at rest, which can protect data if it was accessed by a third party. More than 30 percent of employee computers had disabled software and security updates, the document continues.

For insider threats specifically, the document says that they were “virtually unmonitored, and when found the company did not take corrective actions.”

Insider threats are something that all social media companies have to deal with, but Twitter especially has faced high profile cases of employees abusing their access to user data.. Starting in around 2014, Twitter employees looked up personal information on Saudi dissidents and provided this information to the Saudi government. This month, one of those people, Ahmad Abouammo, was found guilty.

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

The tools that those workers have access to can also pose a serious security risk. Twitter hired Mudge after the catastrophic hack in 2020 in which teenagers managed to compromise some of the most high profile accounts on the platform by abusing access to an internal Twitter management tool.

In its report, CNN said that Mudge has provided information about Twitter to multiple U.S. agencies, including the SEC, FTC, and the Department of Justice.

“All my life, I’ve been about finding places that I can go, and make a difference,” Mudge said in the filmed interview with CNN. 

John Tye, founder of Whistleblower Aid, told CNN in his own televised interview that “We are in touch with law enforcement agencies. They are taking this seriously.”

The document says that Mudge had prepared “comprehensive written materials” to present to Twitter’s Board about problems with the social network’s problems, but he was instructed not to. In January, Mudge started to document evidence of fraud, the document continues. The document claims that Twitter CEO Parag Agrawal then lied about Mudge’s efforts to address fraud on the platform, and fired Mudge a day later. After that, Twitter’s Chief Compliance Officer started to email Mudge on his personal Gmail account in an attempt to get more information about the fraud.

“Apparently, Twitter’s own compliance officers understood the gravity of a situation in which the CEO had deliberately misled the Board,” the document continues. Mudge then continued to work for at least 150 hours, unpaid, “to do his best to document the underlying facts about information security, and the fraud he had identified.”

A Twitter spokesperson told Motherboard in a statement that “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Lorenzo Franceschi-Bicchierai contributed reporting.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.