Did Twitter ignore basic security measures? A cybersecurity expert explains a whistleblower's claims

Twitter’s former security chief, Peiter “Mudge” Zatko, filed a whistleblower complaint with the Securities and Exchange Commission in July 2022, accusing the microblogging platform company of serious security failings. The accusations amplified the ongoing drama of Twitter’s potential sale to Elon Musk.

Zatko spent decades as an ethical hacker, private researcher, government adviser and executive at some of the most prominent internet companies and government offices. He is practically a legend in the cybersecurity industry. Because of his reputation, when he speaks, people and governments normally listen – which underscores the seriousness of his complaint against Twitter.

As a former cybersecurity industry practitioner and current cybersecurity researcher, I believe that Zatko’s most damning accusations center around Twitter’s alleged failure to have a solid cybersecurity plan to protect user data, deploy internal controls to guard against insider threats and ensure the company’s systems were current and properly updated.

Zatko also alleged that Twitter executives were less than forthcoming about cybersecurity incidents on the platform when briefing both regulators and the company’s board of directors. He claimed that Twitter prioritized user growth over reducing spam and other unwanted content that poisoned the platform and detracted from the user experience. His complaint also expressed concerns about the company’s business practices.