Twitter has much bigger problems than bots, according to its former head of security, who just dropped a bomb in claims to the federal government that the site’s security is so lax it’s a risk to national security, and the company allegedly has foreign intelligence agents on the payroll.

Well, Elon Musk may have his good reason to back out of the Twitter deal after all! A bombshell set of allegations from Twitter’s former head of security dropped Tuesday morning, a now-whistleblower who has apparently already been working with the Department of Justice, the Federal Trade Commission, and Securities and Exchange Commission.

That former head of security submitted disclosures to those agencies, as well as Congress, detailing what CNN calls “reckless and negligent cybersecurity policies,” including that thousands of Twitter employees have access to central controls with no oversight, that executives have been knowingly lying to investors and regulators for years, and that that company likely has foreign spies on the payroll. (The story was simultaneously given to the Washington Post.)

Yes, this is a lot to take in. All of the allegations are far more serious and detailed than Elon Musk's complaints about bots, and while that’s one of the disclosures too, it’s about the 19th most shocking allegation of the bunch. The disclosures come from Twitter's former head of security Peiter “Mudge” Zatko, a known for decades as one of the top white-hat hackers, as seen in this vintage Bill Clinton presidency-era interview with CNN’s Bernard Shaw.

Zatko was brought onboard at Twitter after that massively embarrassing 2020 hack where Bitcoin scammers got access to (and tweeted from) the accounts of Musk, Joe Biden, and former president Barack Obama. In that case, it turned out two teens got internal access from Twitter employees. Zatko was brought in to clean up that mess, but says he ran into an executive culture where, in his words, “deliberate ignorance was the norm.”  

CNN and the Washington Post both obtained the disclosures Zatko made to the feds and Congress. According to CNN, Zatko said Twitter is a “a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight.” He also alleges, per CNN, “that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.”

A Twitter spokesperson responded to the New York Times and others that “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.” The spokesperson added, “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”

But the spy stuff is frankly pretty credible, considering that Twitter had two employees spying on behalf of Saudi Arabia a few years back. Zatko’s other allegations cover national security matters, but also just general online security matters, both in terms of the safety of your user data, and how nearly half of the company has access to the site’s controls with no oversight.  

“All engineers had access. There was no logging of who went into the environment or what they did,” Zatko alleged in his claims to the government. “Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”

These allegations are certainly a boon to Elon Musk, because as the New York Times reports, there is a section in Zatko’s disclosures that is literally entitled “Lying About Bots to Elon Musk.”

In that sense, you could brush Mudge off as some sort of Musk fanboy trying to help his hero. But looking at the timeline of his firing and his disclosures to the government, they all occurred well before Musk Twitter takeover attempts.

"I felt ethically bound," Zatko tells the Washington Post of his decision to come forward publicly now. "This is not a light step to take."

Related: Hackers Seize Jack Dorsey's Twitter, Make Bomb Threats, Praise Hitler [SFist]

Image: MatthewKeys via Wikimedia Commons