Twitter’s security woes are far from over.
A new Twitter whistleblower alleges in a complaint filed in October the platform hasn’t fixed security problems even after pledging to do so following a major breach in 2020. That year, teenagers hacked the accounts of politicians, celebrities and other high-profile figures including Barack Obama and Elon Musk to spread a cryptocurrency scam. Twitter said publicly in a blog post it limited access to its internal systems and tools while it investigated the attack.
The whistleblower, a former Twitter engineer, is concerned about an internal program that allows employees to tweet under any account. One Twitter employee estimated that roughly 4,000 employees had access to this program, once known as “GodMode.” The existence of the program shows that “Twitter’s public statements to users and investors were false and/or misleading,” the anonymous whistleblower states in the 24-page complaint. Nonprofit law firm Whistleblower Aid filed the complaint to the Federal Trade Commission and the US Department of Justice.
“Our client has a reasonable belief that the evidence in this disclosure demonstrates legal violations by Twitter,” the complaint said.
The Washington Post, who interviewed the whistleblower, reported earlier on the allegations. The former Twitter employee, who requested anonymity because of harassment and safety concerns, told The Post that Twitter created the “GodMode” program so workers could tweet for some advertisers. Twitter engineers renamed the program to “privileged mode” following internal backlash, the whistleblower told The Post. Twitter didn’t respond to a request for comment.
The whistleblower also filed another complaint in September with the FTC and the US Department of Justice, raising similar concerns about the amount of access employees had to Twitter accounts. In that complaint, another Twitter engineer told the whistleblower that they discovered in 2020 that workers could tweet as any account and brought up the same concern two years later.
A congressional staffer shared the September and October complaints with CNET.
The latest allegations could spark more scrutiny from lawmakers and regulators during a chaotic time for Twitter. Before billionaire Elon Musk closed a deal to buy Twitter for $44 billion last year, Twitter’s ex-security head Peiter “Mudge” Zatko outlined several security issues at the company including allegations that employees had too much access to user data. Twitter fired Zatko, who joined the company after the 2020 security breach. In the complaint, Zatko accused Twitter of violating an 11-year-old settlement with the FTC. Twitter said Zatko’s allegations were “riddled with inconsistencies and inaccuracies and lacks important context.” Whistleblower Aid is also representing Zatko.
After Musk’s takeover, the company cut half of its workforce, dissolved its Trust and Safety Council and made other drastic changes that have raised questions about how well Twitter will be able to handle security problems and content moderation issues. Twitter users have also complained that an extra level of account security known as two-factor authentication isn’t working properly.
The FTC declined to comment on the latest whistleblower complaint. The whistleblower has also met with the Senate Judiciary Committee and the House Energy and Commerce Committee, The Post reported.
On Wednesday, Rep. Jan Schakowsky, an Illinois Democrat, said in a statement that the latest whistleblower allegations “highlight that technology companies are routinely failing to protect the security and privacy of consumers’ data.” She urged Congress and regulators to pass legislation to help safeguard consumer data.
“I am particularly concerned about Twitter users’ data, as well as the potential impact of the debts Elon Musk owes to foreign powers,” she said in the statement. “Musk’s leadership has been tumultuous.”
Kyle Gardiner, associate counsel for Whistleblower Aid, said in a statement that whistleblowers play a “vital role in exposing what big tech companies have managed for too long to hide from the public and regulators.”
“As these whistleblowers become more numerous and impactful, our hope is that big tech companies recognize that transparency and accountability are a better way to operate than breaking the law and endangering their users,” Gardiner said.