How a 51-year-old celebrity hacker upended one of the world’s most influential

New York
CNN Business
 — 

When Peiter Zatko joined Twitter as head of security in late 2020 at the urging of founder and then-CEO Jack Dorsey, he was surprised by what he discovered. Twitter, a social network with hundreds of millions of users, “was over a decade behind industry security standards,” he later testified.

Barely a year later, Zatko was agitating for Twitter’s top executives to address what he described as “a ticking bomb of security vulnerabilities” and to provide a full accounting of its shortcomings to its board.

His concerns, raised privately at first and later in a whistleblower disclosure that became public, would upend one of the world’s most influential social networks and raise new questions about its pending acquisition by the world’s richest man, Elon Musk. It would also, he later testified, put his career and his family at risk.

In his disclosure filed with various US government agencies in July, Zatko alleged that Twitter

(TWTR) trusted far too many employees with access to sensitive user data, creating a fragile security posture that an outsider could exploit to wreak havoc on the platform. The disclosure also claimed that one or more current Twitter

(TWTR) employees may be working for a foreign intelligence service, potentially threatening user data and US national security, and that Twitter

(TWTR) CEO Parag Agrawal misled the company’s board of directors by discouraging Zatko from providing a full account of Twitter

(TWTR)’s security weaknesses. (Twitter

(TWTR) has criticized Zatko and broadly defended itself against the allegations.)

“Given the real harm to users and national security, I determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower,” Zatko, better known as “Mudge” in cybersecurity circles and highly regarded in that community, said during a Senate hearing on his disclosure in September. “I did not make my whistleblower disclosure out of spite or to harm Twitter, far from that, I continue to believe in the mission of the company and root for its success.”

Since going public with his concerns, Zatko, who has held numerous posts in the private and public sector, has found himself at the center of renewed scrutiny of Twitter. He testified last month in a Senate committee hearing about his disclosure, and his allegations have caught the attention of various regulators both in the United States and abroad. Meanwhile, his former colleagues received requests for paid interviews from research firms apparently seeking information, and potentially dirt, on Zatko, according to a report last month by the New Yorker.

The disclosure also coincided with, and ultimately became a part of, Musk’s fight to get out of his $44 billion deal to buy Twitter. Zatko was deposed by Musk’s team and the billionaire was allowed to add some of Zatko’s allegations to his argument to terminate the deal. Although it now appears Musk wants to go forward with the acquisition, the timing of Zatko’s allegations sparked questions about his motives. (Zatko denies any relationship with Musk and says his decision to go public was unrelated to the deal; Musk’s legal team says it was unaware of the disclosure until it was publicly reported.)

Twitter pushed back on Zatko’s allegations, saying that security and privacy have “long been top company-wide priorities.” Twitter has said his disclosure is “riddled with inconsistencies and inaccuracies,” and said that it paints a “false narrative” of the company. Twitter has also tried to paint Zatko as a disgruntled former employee with an ax to grind against the company.

But some who have worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he’s done for much of his career. The decision to blow the whistle, they say, is in keeping with that approach.

“He’s not doing this for fun. It doesn’t get him anything,” said Dave Aitel, a former computer scientist at the National Security Agency and colleague of Zatko’s at cybersecurity consulting firm @stake. “That’s actually what integrity looks like when you have to see it up close.”

As a result of his whistleblower activities, Zatko may be eligible for a monetary award from the US government. John Tye, founder of Whistleblower Aid and Zatko’s lawyer, previously told CNN “the prospect of a reward was not a factor in…