Elon Musk’s two-week management of Twitter has made the platform more vulnerable to fraud and privacy violations by driving away key members of its longtime security staff, former Twitter employees and cybersecurity experts said Friday.
The fear that Twitter had become a more dangerous place for scams and the theft of personal information added to a growing sense of chaos around the service, which the tech billionaire bought last month for $44 billion.
Twitter’s chief information security officer Lea Kissner and its chief privacy officer Damien Kieran announced their resignations, and they were joined out the door by others who worked on cybersecurity and related teams. Musk a week ago laid off about half of Twitter’s workforce, citing financial constraints.
“They’re just wounded right now,” said Austin Berglas, a former FBI cybersecurity official in New York who’s now a consultant at security firm BlueVoyant.
“They’ve lost a lot of important players on the field, so I think people are going to try to exploit them while they’re down,” he said.
Berglas said the threats were likely to come from scammers and organized crime, as well as from hostile governments looking to exploit a fluid situation.
San Francisco-based Twitter did not immediately respond to a request for comment on the security situation at the company.
Mountains of information
Twitter stores mountains of personal information, including not just email addresses and passwords but data that’s inside its direct-message inboxes — a feature that does not have the end-to-end encryption that helps protect other popular messaging services.
The service for years has relied on its blue-checkmark verification system to increase confidence in the reliability of information on the platform, but impersonations and hoaxes proliferated this week after Musk attempted an overhaul of the system.
Ian Brown, a former senior engineering manager at Twitter, said in an online public discussion Friday that the lack of a fully staffed security team could lead to the site not functioning properly or users losing control of their accounts.
“There are security vulnerabilities happening all the time,” Brown said in a Twitter Spaces event.
He echoed a pessimistic view among some Twitter users this week: The service might go down entirely under Musk’s ownership. But he said the scams were a more immediate problem.
“Maybe Twitter doesn’t go down before every account has been pwned by a crypto scam,” he said, using a euphemism for being hacked. Brown didn’t respond to a request for comment.
Proofpoint, a company that tracks online fraud, said it had detected a “notable” increase in scammers operating on Twitter including a ruse designed to drain people of their savings.
Sherrod DeGrippo, the vice president of threat research and detection at Proofpoint, said one scam the company has tracked involves fraudsters sending Twitter users bulk direct messages, purportedly offering them work and encouraging them to speak with a young woman on the largely unregulated social media platform Telegram.
But those messages are actually introductions for an elaborate scam that tries to convince people to drain their savings by telling them they’re investing in cryptocurrency, DeGrippo said.
Scams were already an issue on Twitter, as they are on many major social media websites. But some changes Musk made opened the door to making them worse.
On Friday, Twitter paused the rollout of its Twitter Blue verification service, intended to let users pay $8 a month for a verification badge. Many users who signed up promptly changed their usernames and profile pictures to impersonate famous people and brands, leading to confusion on the site and Twitter to suspend the service.
Marc Rogers, a cybersecurity industry veteran and chief security officer of Q-Net Security, questioned Twitter’s decision to roll out such a fundamental change so quickly and with little testing. Trust-and-safety teams exist to prevent that, he said.
“The debacle with the Twitter verification is a really strong indicator as to what can go wrong,” Roger said.
“You know, it’s comedy to see posts from George Washington, from Jesus, from ‘Elon’ himself allegedly, but at the same time it’s terrifying. Because how do you know what’s the truth?” he said.
Rogers said that by leaving users with less protection, the company is taking on greater risk.
“At the end of the day, security staff is not just there to protect the user, although that’s like a critical part of it. They’re there to protect the company from assault from all sorts of directions,” he said. “They’re the guardrails that prevent companies from going off those cliffs.”
Previous scams and hoaxes
There’s precedent for Twitter’s use for large-scale scams and hoaxes.
In 2020, in one of the most visible hacks of an American company in years, a handful of cryptocurrency scammers tricked Twitter employees into giving them access to key company controls. They proceeded to take over many of the highest profile accounts on the site, including Musk’s and now-President Joe Biden’s, forcing those accounts to post a request for bitcoin.
“When the verified Twitter users got hacked a few months ago, it was only a bitcoin scam, right?” Rogers said. “But think about the possibilities of if you can take control of the voices of some of the most influential people in the world. It is actually kind of terrifying just how bad it could be.”
In 2013, hackers took control of an Associated Press account and sent a false tweet about explosions at the White House, causing a sudden drop in the stock market.
Some cybersecurity experts have openly speculated how Twitter Blue could be used for nefarious purposes. Alex Stamos, a founder partner of the cybersecurity company the Krebs Stamos group and a former chief security officer of Facebook, theorized that North Korean hackers known as the Lazarus Group could shift their attention from cryptocurrency scams to Twitter-based stock manipulation.
“Gosh, would be a good time to have one of the world’s experts on finding state-sponsored info ops on staff,” he added.
Inside the operation
Some former Twitter employees have previously warned about the platform’s security. Peiter Zatko, a widely respect cybersecurity veteran who was previously Twitter’s head of cybersecurity, testified before the Senate in September that the platform was “a decade behind industry security standards.”
And the company has dealt with spies on its own payroll. In August, a jury found a former Twitter employee guilty of spying on Saudi Arabian dissidents and passing their personal information to the Saudi government.
Berglas, the former FBI official, said he feared Twitter now has less capacity to catch such a person.
“You’re losing eyes on the interior, making sure that new employees are vetted appropriately,” he said.
“From a security perspective, it’s pretty dire,” he added. “When you fire so many folks in the security department at once, and then you’ve got some senior brass leaving, it’s concerning.”