Peiter “Mudge” Zatko, the Twitter whistleblower who previously served as the company’s head of security, testified before the Senate yesterday — here at four key takeaways from his testimony.
Breitbart News previously reported that Peiter Zatko filed an explosive whistleblower complaint against Twitter in July. Zatko was a prolific hacker who was hired as Twitter’s security head before being fired in January by new CEO Parag Agrawal. In his whistleblower complaint, Zatko alleged that Twitter failed to protect user data, refused to address warnings when raised with executives, and lied about its security issues.
Zatko recently testified before the Senate about Twitter’s issues — here are four key takeaways from his testimony
1: Zatko claims 4,000 Twitter employees have access to users’ personal info
Sen. Josh Hawley (R-MO) questioned Zatko on the access that Twitter employees have to user data, asking: “I want to make sure I got this straight. You’ve stated today and in your report that about 4,000 Twitter employees are classified as engineers. Is that right?”
Zatko confirmed that around half of Twitter’s 7,000 employees at the time were classified as engineers, to which Hawley responded: “Got it. And that means that these 4,000-ish employees would have had access to live user data all over Twitter. They could access individual users’ personal information, including their live data. Have I got that right?”
Zatko responded: “Yes, sir. They would have access to the production environment. If they spent the time to meander around and look around, they would find that they could access these large flows of data.
Hawley asked: “including geolocation data, did you testify to that earlier today?”
Zatko said: “I know that Twitter has IP locations and that they do use geolocation services based upon IP addresses.”
Hawley remarked: “Wow, 4,000 employees with access to that data. That’s extraordinary. So those employees would be in a position than if they wanted to, to get this information and docs Twitter users. Is that fair to say?”
Zatko responded: “That is a concern of mine, sir, yes.”
Watch the full exchange below:
.@Twitter whistleblower reveals 4000 employees have access to all your personal info and can dox users – and have! Also testified that employees have hijacked users’ accounts pic.twitter.com/McjVYWm11t
— Josh Hawley (@HawleyMO) September 13, 2022
2: Indian government agents may be working at Twitter
Sen. Dianne Feinstein (D-CA) asked Zatko: “So, can you describe the types of efforts you’ve seen by foreign governments to infiltrate control, exploit, or surveil Twitter and its users and share what steps Twitter and regulators should have taken to protect against these attacks.”
To which Zatko responded: “Yes, ma’am. Thank you. One of the disturbing things that I saw based upon being 10 years behind where I would expect a modern tech company to be was a lack of an ability to internally look for and identify inappropriate access within their own systems.”
He added: “Other than the person who I believed with high confidence to be a foreign agent placed in a position from India, it was only going to be from an outside agency or somebody alerting Twitter that somebody already existed, that they would find the person what I did notice when we did know of a person inside acting on behalf of a foreign interest as an unregistered agent.”
Zatko stated that Twitter was unable to keep track of possible foreign agents, stating: “They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”
Watch the full clip below:
Part 2: Whistleblower Zatko on foreign government agents at Twitter and the Saudi incident (Earlier this month, two former Twitter employees were charged and one found guilty of spying on behalf of the kingdom.)
— Karnika (@KarnikaKohli) September 14, 2022
3: Twitter employees can access a user’s phone number, address, and location at any time
Zatko revealed just how much information Twitter can collect on its users, and it appears to be much more than was previously understood.
Zatko told the story of a Twitter executive that was being harassed by a Twitter user and requested extra information on the potential harasser. Zatko stated:
A user on Twitter was harassing some members of the executive team and some members of the board. And as an example, this person, the CTO came to me and said Mudge [Zatko’s hacker handle], you know, is this a real viable threat? Do I need to be worried? You know, who is this person? And it took me maybe 30 minutes to reach out to an employee and say, what do we know about this person?
And then it only took that person, maybe 10 minutes to get back to me and say, here’s who they are. This is the address where they live. This is where they are physically at this moment. They’re on their phone. We know their phone number. We also know all of the other accounts that they’ve tried to set up on the system and hide, and we know who they are on the other social media platforms as well.
Watch the full clip below:
Twitter Whistleblower Peiter Zatko explains how easy it was for Twitter to track personal information of an user, user’s phone number, address, and their location at that precise moment. pic.twitter.com/ZyKt2cLhMc
— Real Mac Report (@RealMacReport) September 13, 2022
4: Twitter employees can tweet from any Twitter account
When asked about his previous statements that Twitter engineers could tweet as anybody, Zatko stated: “That meant a Twitter engineer understanding how the running systems and the data flows were operating, could then access and inject or put forward information. As I mentioned in my oral statement as any of the senators sitting here today.”
Senator Hawley asked Zatko if he had ever seen this happen in practice, to which he responded: “No, not directly.” He was asked if he had any reason to believe it has ever happened, to which he responded:
The number of cases that were reported to me by individual engineers saying, “Hey, we found this, I’m gonna try and have somebody fix it,” where that was the exact problem and we wouldn’t know if it had happened in the past, yes, I am concerned.
Watch the full clip below:
WATCH: Whistleblower tells @HawleyMO Twitter engineers “could tweet as anybody.”
"A Twitter engineer … could then access and inject or put forward information as … any of the senators sitting here today."
"Are you concerned it has happened?"
"… Yes, I am concerned." pic.twitter.com/OSq3QG6UFh
— Philip Letsou (@philipletsou) September 13, 2022