The chaos continues at Elon Musk’s Twitter, with cybersecurity troubles mounting. Security experts and whistleblowers have warned of a new company environment that is severely undercutting defenses, leading to potential consequences for both Twitter HQ and the millions of daily active users that use the giant social media platform.
An exodus of Twitter’s security staff, including a surprising departure from the company’s Chief Information Security Officer Lea Kissner, has proven detrimental thus far – with security experts warning that a massively reduced cybersecurity team would allow for potential bad actors to take advantage of growing security vulnerabilities. The Washington Post had confirmed that “several other members of the site’s privacy and security unit also had resigned,“, on top of massive layoffs conducted by Musk after taking over Twitter. Among the other former employees who resigned include the company’s chief privacy officer, chief compliance officer, and the head of moderation and safety, Yoel Roth.
Cybersecurity expert and director of the Stanford Internet Observatory Alex Stamos tweeted that “there is a serious risk of breach with drastically reduced staff.” The former Yahoo CISO warned of ‘real-life harm’ from the dismantling of the Twitter security team, as well as warning the company of potential action from regulators including the FTC and SEC, as well as a number of European regulators.
The chaotic dismantling of Twitter’s security team prompted a rare statement from the FTC, with the agency saying it is “tracking the developments at Twitter with deep concern”, and that it is prepared to take action.
“No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, the director of public affairs for the FTC.
Meanwhile, Musk’s attorney, Alex Spiro, claimed in a company-wide Slack post that “Elon puts rockets into space, and he’s not afraid of the FTC.”
Because of the mass exodus, unnamed sources have confirmed that Twitter’s legal department is asking engineers to “self-certify” compliance with FTC rules and other privacy laws, which could lead to even more disastrous results.
Cybersecurity and privacy expert Riana Pfefferkorn tweeted last Thursday, “That’s not how this works. That’s not how any of this works,” in response to the news of Twitter’s legal team asking engineers to “self-certify”. “Per the order, a small team of senior execs is on the hook for making privacy & security decisions, which are legally binding on the company. And a senior officer has to certify compliance with the order annually to the FTC. This “everyone must self-certify” thing is nonsense.”
Pfefferkorn continued, explaining that any engineer who self-certifies to the FTC risks an FTC invoked complaint, which could lead to an investigation for perjury. She asks, why would lower-level employees risk themselves for Musk, who clearly doesn’t care about threats from the FTC and SEC?
All of this raises serious questions about the integrity of the company’s security protocols, as well as the company’s ability to defend from hackers. Twitter stores a massive amount of user data, including phone numbers, internet protocol addresses, as well as direct messages, which are unencrypted, despite pleas from cybersecurity experts. How can the remaining Twitter team, as well as Musk, guarantee safety for its massive number of users?
Even before Musk’s takeover, a Twitter whistleblower testified before Congress in September, claiming that the company’s failure to secure sensitive data could cause “real harm to real people.” The whistleblower, the company’s former head of security, Peiter Zatko, claimed in his testimony that employees had access to too much data, the company wasn’t properly tracking data access, and that executives had misled the public, regulators, and the company’s own board about its broken defenses against hackers, among many other credible accusations.
The two weeks of chaos at Twitter was intensified by Musk’s first product at the company, Twitter Blue’s verification badge, an idea that was intensely crucified by security experts before a very messy implementation. The verification badge, previously only held by notable public figures and organizations, would now cost $8 a month, allowing any user on Twitter to pay for verification. This predictably led to many impersonation accounts, appearing to be legitimate since they donned a blue checkmark badge.
Parody tweets from accounts impersonating brands and public figures ended up costing the social media giant millions in advertising revenue, after companies like Eli Lilly’s stock tanked because of viral parody tweets. As a result, the pharmaceutical giant pulled all advertising from Twitter. Other companies followed suit, falling to pressure from human right activist groups.
Other impersonation accounts acted much more malicious. Users reported prevalent fake crypto exchange accounts, donning a verification badge, soliciting login information from crypto users requesting assistance through Twitter’s Direct Messages (DMs). Other bad actors impersonated other prevalent companies including Apple, Tesla, and others, attempting to solicit account information from unsuspecting victims.
Researchers also found a fake McDonald’s account donning the paid verification badge, apparently trying to spread malware via the platform. The thread had generated more than 400,000 likes and millions of interactions.
“It took me less than 25 minutes to set up a fake anonymous Apple ID using a VPN and disposable email, attach a masked debit card to it (with the address being Twitter’s HQ), and get a verified account for a prominent figure,” tweeted a user, going viral. “Just think what a nation-state or bad actor could do…”
Unsurprisingly, the new Twitter Blue feature was revoked by the company days after implementation. The idea proved disastrous for the company’s cybersecurity, revenue, and reputation. Although despite this, Musk has said he plans to bring back the exploitative feature by November 29th.
Meanwhile, signs are starting to show that the company’s security is cracking. First reported by WIRED, some users have reported that Twitter’s SMS two-factor authentication system is starting to malfunction. The authentication codes either don’t get sent, or are delayed by hours, preventing users from accessing their accounts, and potentially leading to losing access from them. This is among one of the first signs that troubles in Twitter’s infrastructure are ‘bubbling to surface’, as the company’s IT team spreads increasingly thin.
Twitter’s increasingly destabilized infrastructure is very worrying, mostly for users whose data is on the line. Some experts have even began calling for people to delete their direct messages, or even their accounts altogether, in preparation for a possible data breach.