Twitter whistleblower to Congress: A bad actor can take over any one of your accounts

Twitter whistleblower Peiter “Mudge” Zatko appeared before the Senate Judiciary Committee on the Capitol on Tuesday and let some of the U.S.’s most powerful politicians in on some striking news:

It would be easy for a bad actor to take over any of their Twitter accounts and start tweeting from it, according to Zatko. 

This isn’t a new concern. Back in 2020, a 17-year-old hacker was able to break into Twitter’s internal systems, take over major verified accounts including those belonging to Joe Biden, Barack Obama, and Elon Musk, and start tweeting from them. However, as Zatko explains, this is still something that could easily happen again, and he considers this a national security threat.

Zatko, who previously worked as Twitter’s head of security, has quickly found himself thrust into the spotlight mere weeks after blowing the whistle on his former employee. The cybersecurity expert, who’s better known by his handle “Mudge,” claims that Twitter is rife with privacy and security issues. Zatko also formerly worked for the U.S. government as part of the DARPA.

One of the main topics from the members of the Senate Judiciary Committee was about influence from foreign agents within Twitter. According to Senator Chuck Grassley (R-IA), Twitter was warned by the FBI about possibly having one or more agents from both China and India working for the company.

Just last month, a former Twitter employee was found guilty of spying for Saudi Arabia. So the fact that this is a concern isn’t breaking news, but the fact that it may still be happening doesn’t depict Twitter in the greatest light. Zatko said when he brought these concerns up to company executives, one response he received was “Well, since we already have one, what is the problem if we have more?”

What can foreign agents do while working at Twitter? Zatko shared a story about a Twitter executive who was concerned about tweets from a user directed at him. When Zatko asked a subordinate to look into this users’ tweets about the executive, the employee was able to tell him information such as where the Twitter user lived and where they were currently posting from. According to Zatko, way too many Twitter employees have way too much access to way too much data and way too many internal systems. The former head of security explained that he’s seen sellers on third-party marketplaces charge for access to Twitter’s internal systems.

This isn’t the only problem with this data collection either, according to Zatko. He explained that the company doesn’t even know what data they have, where it lives, or where it came from. This data includes users’ phone numbers, emails, and the locations where they access the Twitter platform.

Twitter has attempted to paint Zatko as a scored ex-employee. However, at the hearing, he made it quite clear how important Twitter is to the online landscape and that’s why he blew the whistle. In his words, he wants to see the company do well, but he couldn’t sit idly by while they brushed aside these detrimental issues.

Over the years, Capitol Hill has seen quite a few hearings concerning data concerns and security issues involving a revolving door of Big Tech companies. These companies usually come out of these hearings fairly unscathed, regardless of how brutal Congressmembers can be during the hearings. At one point during this hearing, Senator Amy Klobuchar (D-MN) used her time to voice frustration with this very thing. She explained how essentially nothing has been done in the Senate to address any of the concerns voiced during these hearings over the years.

The Senate’s lack of action on these issues wasn’t the only government failure brought up. Zatko explained how Twitter just wasn’t all that concerned over the FTC due to the fact that any rules they broke would likely result in one-time fines that the company viewed as the cost of doing business. He compared Twitter’s reaction to France’s version of the FTC, the data protection agency CNIL. Zatko said Twitter was “terrified” of them due to more serious and robust penalties for breaking the country’s laws.

Zatko’s hearing won’t change any of this alone. But his testimony laid out the problems he sees at Twitter in a way that really drives home these concerns. Zatko’s testimony may have sounded like the familiar fear-mongering about Big Tech and a master plan to use its secretive collection of user data for financial gain, yet he centers a narrower takeaway: Twitter actually has no idea what it’s doing. And, in turn, they are being irresponsible with your data. Nefarious actors can steal your account and get away with it because Twitter’s internal systems are a mess.

As Zatko lays it out, Twitter has already experienced very real security concerns. Yet, it appears the company hasn’t learned any lessons. According to Zatko, Those same exact problems could easily be exploited by bad actors today.