Twitter’s former head of security has filed a whistleblower complaint with the government, alleging the social media company has gaping holes in its security practices and misleads the U.S. government — as well as its own corporate board — about its vulnerability. 

The complaint from Peiter Zatko, Twitter’s security chief until he was fired in January of this year, claims that Twitter has “extreme, egregious deficiencies” in security, privacy and content moderation. He also contends executives with the blogging platform lied to U.S. regulators about having a strong security plan, as the company is required to have under a settlement with the Federal Trade Commission. 

The company allegedly has no interest in or ability to calculate the number of bot and spam accounts on the platform, and it mismanages users’ personally identifiable information and suffers regular security breaches, the document claims.

Zatko filed the complaint earlier this year with the FTC, the U.S. Securities and Exchange Commission and the Department of Justice. CBS News has obtained a version of the complaint shared with Congress, which the Washington Post and CNN earlier reported.

Whistleblower Aid, a legal firm representing Zatko, said Twitter had an obligation to create a safe platform because of its “outsized influence on the lives of hundreds of millions around the world.”

“It has taken the courage of a high-level whistleblower with an impeccable reputation for ethics and integrity for law enforcement agencies, and the public, to learn the truth,” said Libby Liu, CEO of Whistleblower Aid.

Twitter did not immediately respond to a request for comment from CBS News. In a statement to CNN, Twitter disagreed with the conclusions of the complaint, saying that Zatko was fired “for poor performance and ineffective leadership.”

“While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us,” the statement said, according to CNN.

Sensitive data

Zatko’s complaint claims that Twitter had poor internal security practices, with up to half of the company’s 10,000-strong workforce having access to sensitive user data, 30% of employee computers turning off automatic security updates and no management system for employees’ phones. Many of Twitter’s data centers, which hold and process user information, can’t support encryption of data, according to Zatko.

Under a 2011 settlement with the FTC, coming after a series of hacks, Twitter is required to maintain a “comprehensive information security program” and can’t lie to users about their privacy. However, “Twitter had never been in compliance with the 2011 FTC Consent Order, and was not on track to ever achieve full compliance,” the complaint claims.

Along with lying to regulators, Twitter executives also routinely gave incorrect information to the company’s own board, claiming that security practices were stronger than they were, the complaint alleges.

Two years ago, Twitter’s lackadaisical approach led to the biggest social media hack in history, Zatko claims. A Tampa teenager was able to hack into high-profile Twitter accounts, including those of former President Barack Obama, Joe Biden, Jeff Bezos, Michael Bloomberg, Bill Gates and Kim Kardashian West.

According to the complaint, the hack “was pretty simple: Pretending to be Twitter IT support, the teenage hackers simply called some Twitter employees and asked them for their passwords. A few employees were duped and complied and—given systemic flaws in Twitter’s access controls—those credentials ‘were enough to achieve “God Mode,” where the teenagers could imposter-tweet from any account they wanted.” 

Zatko also alleges Twitter hired foreign spies, citing claims from a U.S. government source that “one or more particular company employees were working on behalf of another particular foreign intelligence agency.”

Senate Intelligence Committee Chair Dick Durbin said that the disclosure raises “serious concerns” and vowed to investigate. “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” the Illinois Democrat said in a statement.

No way to measure bots?

Along with allegations of lax security, the complaint echoes criticism from onetime Twitter buyer Elon Musk that the platform is overrun by bots, claiming that executives have no way of knowing what portion of accounts were fake. 

“[D]eliberate ignorance was the norm amongst the executive leadership team,” the complaint claims, with the company being unable to even provide a maximum estimate for the total number of spam and bot accounts. The team responsible for site integrity didn’t know how to measure bots, was consumed with internal drama and had no incentive from the company to find a truthful number, the complaint alleges. 

Zatko claims that one internal verification method used by Twitter but often disabled foiled between 10 to 12 million bots per month. In 2021, Twitter created a bonus structure under which employees could earn as much as $10 million for a short-term increase in monetizable daily active users, or mDAU, with no bonus for reducing spam on the platform, the complaint claims. 

Twitter has long told regulators that fewer than 5% of monetizable daily active users on the platform, or mDAUs, are bots. CEO Parag Agrawal recently explained in a Twitter argument with Elon Musk. However, that explanation is a lie, the complaint claims, because the mDAU metric is already designed to leave out bots and other spam accounts. 

A spokesperson for the U.S. Senate’s intelligence committee, Rachel Cohen, said the committee has received the complaint and “is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”

CBS News’ Nikole Killion and the Associated Press contributed reporting.