Twitter Cybersecurity Defects: What it Means for You
Did Twitter Whistleblower Peiter ‘Mudge’ Zatko Lend Credence to Elon Musk’s Claims?
Add bookmark
Elon Musk may be right, after all. A man known as Mudge — an infamous and celebrated ‘ethical hacker’ turned cybersecurity expert and former Twitter security head — has ‘blown the whistle’ on his former employer, the social media platform Musk agreed to purchase. ”The explosive allegations could have huge consequences, including federal fines and the potential unraveling of Tesla CEO Elon Musk’s bid to buy Twitter.”
According to Mudge, born Peiter Zatko, Twitter’s “extreme, egregious deficiencies” in its cybersecurity represent a risk “to users' personal information, to company shareholders, to national security, and to democracy.” And, like the Tesla CEO, he says there is a bot problem — and Twitter “lied” to Musk during the acquisition process.
Imagine, Zatko told CNN correspondent Donie O’Sullivan, “You get on an airplane, and every passenger and attendant crew all have access to the cockpit, to the controls… It’s too easy to accidentally, or intentionally, turn an engine off.” This, he explains, is what security’s like at Twitter. And at a time when consumer concerns about misinformation and online data privacy are at an all-time high, this revelation could be damning for the seventh most popular social media platform in the US — not to mention the digital businesses and online advertisers that rely on Twitter to expand brand awareness, engage and assist customers and prospects, and generate leads.
So, what did Mudge expose? Is it what Musk has been warning us about? And what can we do to protect our brand reputation and customer relationships, on and off Twitter?
The Twitter Whistleblower: Who is Peiter Zatko, and What Did He Uncover?
Peter Zatko, long haired and self-referring as ‘Mudge,’ was among a group of hackers who testified before Congress on cybersecurity in 1998; in the 1990s he conducted classified work for a government contractor while serving as a leader of the Cult of the Dead Cow, a hacking group notorious for distributing Windows hacking tools to compel Microsoft to improve its security.
Prior to joining Twitter, a trimmed-up Zatko oversaw security at Stripe, took on special projects at Google, and doled out grants for cybersecurity projects on behalf of DARPA, the Pentagon’s Defense Advanced Research and Projects Agency. He also told CNN he was offered a day-one position in Biden’s White House.
But Zatko took Jack Dorsey up on his offer and chose Twitter in 2020; Jack asked after Twitter experienced a massive data breach — when a couple of pioneering youngsters (and some friends) hacked the social network, taking over the accounts of President-Elect Joe Biden, former President Barack Obama, Twitter foe(?) Elon Musk, and many of the world’s most famous celebrities.
"I suppose a VPN would be good for better security, but it will always start with you."
– Daryle Lamont Jenkins, executive director of One People's Project
Peiter Zatko at Twitter: From Savior to Pariah
This coordinated attack on its systems “was an important reminder of how far Twitter needs to go in building some of the basic security functions necessary to run a service targeted by adversaries much more skilled than the teenagers arrested for that incident,” said former Facebook chief security officer and Zatko consultant Alex Stamos back in 2020. Twitter is “going to have to find creative solutions to these problems, and if Mudge is famous for anything in security, it is being creative.”
Zatko, meanwhile, said in an interview with CNN that he joined Twitter because the platform is a “critical resource” hampered by security failings unaddressed by its CEO Parag Agrawal.
According to Zatko, who reported directly to the Twitter CEO, Twitter employees have access to all of our user data, which could be sold to aggressive advertisers fearing the retirement of third-party cookies, a foreign government looking to influence an election, or a terrorist organization here or abroad that wants to identify and track perceived enemies. “After the January 6 insurrection,” for instance, “Zatko was concerned about the possibility someone within Twitter who sympathized with the insurrectionists could try to manipulate the company's platform.” And easy access to private user data is only one of the many terrifying revelations in Zatko’s disclosure, a 200-page complaint filed July 2022 with the SEC.
In his disclosure, Zatko charges that Twitter has deceived shareholders and violated its agreement with the FTC to uphold security standards. The much-redacted document:
“[P]aints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.” (CNN)
According to Zatko, he was removed for asking too many questions. Of course, Twitter says “Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership” (honestly, not the best HR/employee experience move, even if it’s true!).
So, is it possible his “opportunistic” allegations are, in fact, “riddled with inconsistencies and inaccuracies?”
The Mudge Disclosure: Peiter Zatko Eviscerates Twitter’s Failed Cyber Defense Efforts
Not if you ask the FTC, or the verified accountholders victimized by Twitter hackers (and ignored by Twitter):
- In 2010, for instance, the FTC filed a complaint against Twitter for allowing excessive access to its central controls and mishandling user's private information, resulting in an FTC consent order requiring not only security improvements but a “comprehensive information security program;” according to Zatko, we’re all still waiting, and Twitter’s always been in violation of the legal order
- Likewise, in 2022, a “scam has been running rampant,” targeting journalists, lawyers and influencers, with Twitter “seemingly unable to bring it under control”
As Zatko details in his disclosure, his initial excitement (about Twitter’s willingness to innovate) turned to exasperation, as he quickly realized:
“It was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.... Nobody knew where data lived or whether it was critical."
In fact, he says:
- About half of Twitter’s 7,000 or so full-time employees have access to users’ sensitive personal data and internal software, which at best leads to corporate spam and at worst threatens user health and safety
- Thousands of laptops contain complete copies of Twitter’s source code (what!?)
- Twitter deliberately obscures the scale of its fake/spam account problem by reporting bots only as a percentage of mDAUs (monetizable daily active users) instead of the total number of accounts, directly impacting on-site user experience as well as the efficacy of the data shared with the platform’s digital advertisers
Oh, and:
- About half of Twitter’s half a million servers run on outdated software that doesn’t support even basic security features such as stored data encryption or regular third-party security updates, which puts all user and advertiser data in jeopardy
- Twitter lacks sufficient technical redundancies and emergency response procedures to recover from data center crashes (i.e., even minor outages at several data centers could take down Twitter, permanently), which means we could all lose everything
- Twitter is particularly vulnerable to foreign government exploitation and may even have foreign spies currently on its payroll, significantly increasing the likelihood of users facing future disinformation campaigns
Mudge, and the Musk Connection
M&A experts (and I) had been saying that Twitter had the stronger argument in its legal battle against Elon Musk; as CNN suggested August 23, 2022, though, “the new disclosure could help bolster Musk’s argument and potentially encourage the court to pay closer attention to the bot issue.”
But that’s not all: Mudge’s expansive disclosure could aid Musk’s legal team in developing additional arguments against the Muskover. "For years, across many public statements and [SEC] filings, Twitter has made material misrepresentations and omissions... regarding security, privacy and integrity," reads Zatko's disclosure. "Twitter's misrepresentations are especially impactful, given that they are directly at issue in Elon Musk's contemplated takeover of the company."
(And, in case you’re wondering, Zatko and Musk assert no relationship or communication prior to the release of the disclosure.)
In response to the disclosure and amid growing uncertainty about the future of the business, Twitter CEO Agrawal shared an internal memo promising that the firm would challenge Zatko’s “frustrating and confusing to read” allegations. Musk’s attorney Alex Spiro, meanwhile, told CNN they “found [Zatko’s] exit and that of other key employees curious in light of what we have been finding” — and immediately issued a subpoena for the former Twitter security head.
As for what this will mean for Twitter, only time will tell; I’m predicting here and now that the Mudge disclosure will save Musk from following through on his commitment to purchase the company.
And, unfortunately for those of us who love and leverage Twitter, Zatko’s alarming report may also lead to future actions from the federal government.
Zatko’s Twitter Disclosure and the US Government Response
As far as I can tell:
- The best thing that could happen would be for Twitter to improve its security measures, so we can continue to enjoy the app — and, perhaps for the first time, enjoy it safely
- Doing nothing clearly wouldn’t be the safest option, but I never felt particularly unsecure in the first place — even with the phishing DMs (and of course there’s AccessNow if your account gets hijacked)
- Allowing Twitter to fall apart into obscurity, a la Myspace or Friendster, would be catastrophic for at least a few hundred thousand businesses and public figures who’ve relied on the app for years
For the federal government, though, laws are laws (sometimes). And its reps are pissed. Senator Dick Durban, chair of the Senate Judiciary Committee, vowed to investigate and said the Committee would “take further steps as needed to get to the bottom of these alarming allegations.” Senator Chuck Grassley, the Committee’s top Republican and an avid Twitter user, took it even further:
"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster."
Senator Richard Blumenthal (who I interviewed 20 years ago when he was attorney general of Connecticut), one of the country’s wealthiest senators and chair of the Senate subcommittee on consumer protection, took a more even stance, providing context for the current corporate catastrophe. “If the Commission does not vigorously oversee and enforce its orders,” he warned in a letter, “they will not be taken seriously and these dangerous breaches will continue.”
Again, not something anyone wants — and especially not:
- The average, mostly powerless consumer using Twitter just to have a little fun, sharing memes, annoying celebrities, following the news, and learning about new brands and products
- Businesses that use Twitter to connect with their customers and prospects
- Businesses that use Twitter to target their digital ads to certain audience(s) at certain times
Zatko’s Twitter Disclosure: Where Do Digital Businesses and Online Advertisers Go From Here?
Does your organization use Twitter? If so, start by asking these questions:
- Do we adhere to Twitter’s safety guidelines?
- What is our Twitter strategy, and how might it need to be adjusted based on potential repercussions of the Zatko disclosure?
- How much money do we spend on Twitter, per campaign, per quarter, and per lead? How does this compare to other social media platforms and other forms of digital marketing (e.g., email or text messaging)
- Is there anything we do from a digital marketing, sales or CX perspective that requires Twitter? If not, what might be the impact of closing our account or only using it for certain, narrower purposes?
- If leaving Twitter would create gaps in our digital marketing, sales or CX, how could we best turn them into opportunities? Are there other strategies or tools we haven’t yet tested?
- Do we rely on Twitter for third-party user/customer data? Have we begun to prepare for the retirement of tracking cookies?
- Who is responsible for our Twitter strategy, content creation and organic implementation? Are they subscribed to Customer Engagement Insider? Are they keeping an eye on experts’ changing recommendations? Have they tried the top six Twitter marketing strategies listed here? What about our six must-haves for optimal Twitter performance — has your Twitter lead approached the app with all the necessary capabilities?
- Do we advertise on Twitter? If so, who is responsible for determining who we target, along with how, when and at what cadence?
- Who is responsible for our Twitter/social media data analytics? What did our latest performance report tell us? How does recent performance compare to historical performance? Were there specific organic or paid campaigns that performed particularly well (or poorly)? How does our Twitter performance compare to our performance on other social media platforms (and, if not well, is it worth using Twitter at all)?
- Do we have any internal safety measures in place to protect our organization and/or our customers from Twitter spam, hacks, etc.? What about a policy and process if an account is lost?
- Do we use a third-party social media management platform? If so, can we calculate the ROI? Is it worth the investment? What are the pros and cons? And if we haven’t yet tried one, why not?
If your organization has succeeded — through COVID and The Great Resignation; and MeToo, BLM and intensified demands for DEI — and hasn’t used Twitter up to this point, don’t start now.
While everyone now hates Instagram and already hated Facebook, there’s always TikTok (which shares data with China), Snapchat (which isn’t great for advertising or evergreen content), Pinterest (which only works for certain, ‘aesthetic’ brands), YouTube (which has terrible social networking capabilities), and using influencers to do all the work for you (hmmmm…).
6 Twitter Marketing Strategies You Should Try
- Use Twitter influencers to spread your message and influence Gen-Zers, millennials and even Gen-Xers to become customers and eventually brand ambassadors themselves (nearly 90% of Gen Zers and millennials initially learn about things they want to purchase on social media — and four in 10 teens trust influencers more than their friends)
- Create and nourish communities (literally, and via DM groups or regular Spaces events) to develop loyalty and generate more leads and ROI
- Run polls to showcase your morals, values and vision
- Share behind-the-scenes footage to demonstrate your commitment to employee experience
- Leverage trending topics to create buzz like Wendy’s
- Respond ‘on main’ and in DMs to customer complaints and compliments to provide and publicize an optimal customer experience
6 Must-Haves Before Implementing Your Twitter Marketing Strategy
To achieve your twitter marketing goals, you’ll need someone on your team who can:
- Manage and utilize relationships with influencers and customers — and develop your influencer marketing program (e.g., an affiliate program manager, partnerships program manager or digital marketing manager — and a digital marketing, social media or PR strategist)
- Moderate and facilitate engagement in Twitter communities (e.g., a social media manager or community manager)
- Develop innovative polls based on the company mission and cause(s) (e.g., a social media manager or brand manager)
- Assemble and disseminate on-brand corporate video content (e.g., a video producer, general content creator, social media manager or HR manager)
- React quickly to capitalize on changing trending topics — on brand, and authentically (e.g., a social media strategist, digital marketing strategist or brand strategist)
- Not only deliver a positive CX but publicly demonstrate that commitment under the increased pressure of performing in an open forum (i.e., a team of CX professionals, with some help from a leading social media automation tool)
Assuming Twitter is, in fact, right for you, ask yourself whether your digital marketing team would benefit from streamlined social media content creation, scheduling, distribution and performance measurement. If so, demo at least two of the following, and invest in the one you think is best.
The Top 10 Social Media Management Tools
- Agorapulse
- Buffer
- HootSuite
- Hubspot (not just a CRM)
- Loomly
- MeetEdgar
- Semrush (not just an CEO tool)
- SocialPilot
- Sprout Social
- Zoho Social
Want to hone in on influencers? No problem.
The Top 10 Influencer Marketing Platforms
To determine which performance-driven influencer or creator marketing platform is best for you, consider requesting a demo from two or more of the top 10 highly rated options:
Need help optimizing your Twitter marketing? Need higher-quality leads from social media? Download this exclusive guide and discover what Customer Engagement Insider can do for you!
The Content and Promotion Behind the Likes and Retweets
Click here to learn how it works.
Image Credits (in order of appearance)
- Photo by Alex McCarthy on Unsplash: https://unsplash.com/photos/zkp21IMDBpg
- Photo by Jefferson Santos on Unsplash: https://unsplash.com/photos/9SoCnyQmkzI
- Photo by Petter Lagson on Unsplash: https://unsplash.com/photos/VH_L_H4w7U8
- Photo by Sigmund on Unsplash: https://unsplash.com/photos/Im_cQ6hQo10
- Photo by Dmitry Ratushny on Unsplash: https://unsplash.com/photos/xsGApcVbojU
- Photo by Bernard Hermant on Unsplash: https://unsplash.com/photos/IhcSHrZXFs4
- Photo by Dennis Maliepaard on Unsplash: https://unsplash.com/photos/7b7wSvGn2W4
- Photo by Laura Chouette on Unsplash: https://unsplash.com/photos/N9a5oS06Er4
- Photo by Recha Oktaviani on Unsplash: https://unsplash.com/photos/5tYUk7sZzqc