Twitter Security Lapses: Whistleblower Alleges National Risk

Peiter “Mudge” Zatko, Twitter’s former head of security, filed a whistleblower complaint in July 2022 with the Federal Trade Commission (FTC) and the Senate Select Committee on Intelligence. Zatko, who served as the company’s security chief from late 2020 until his departure in early 2022, alleged that Twitter suffers from systemic security and privacy failures that he says pose a direct threat to U.S. national security. The 84‑page complaint details a litany of internal control weaknesses that, if exploited, could compromise the personal data of the platform’s roughly 200 million active users and enable foreign actors to manipulate public discourse.

The technical shortcomings highlighted in the filing are striking. Zatko claims that more than 1,400 employees possessed privileged access to Twitter’s production environment, yet multi‑factor authentication (MFA) was not enforced on many critical internal tools. Passwords for some backend systems were stored in plaintext, and user direct messages were not consistently encrypted at rest. The company’s logging infrastructure was described as “severely limited,” preventing timely detection of unauthorized activity. Additionally, Zatko cited known, unpatched vulnerabilities—some rated critical in the National Vulnerability Database—that lingered for months, and he alleged that third‑party code libraries with known security flaws were incorporated into the platform without adequate vetting. Network segmentation was reportedly weak, leaving core services reachable from the public internet without proper firewall controls.

If these vulnerabilities were weaponized, the consequences would extend far beyond a typical data breach. The exposure of user credentials and private messages could fuel large‑scale account takeover campaigns, identity theft, and targeted phishing attacks. Because Twitter serves as a primary conduit for breaking news, political messaging, and election‑related communication, exploitation of the platform could amplify disinformation, interfere with electoral processes, and undermine U.S. strategic interests abroad. Zatko’s complaint explicitly warns that foreign intelligence services could leverage the identified weaknesses to conduct espionage or covert influence operations on American citizens.

Twitter has denied the allegations, asserting that it invests heavily in security and maintains robust safeguards. The FTC has opened a formal investigation, and the Senate Intelligence Committee has scheduled hearings to examine the claims. Privacy advocates and cybersecurity experts are calling for stricter regulatory oversight of social media platforms, while the incident may accelerate pending legislative efforts to impose mandatory security standards for critical digital infrastructure.