Whistleblower Peiter Zatko has seen message board posts of claimed employees offering to sell Twitter user data, he told Republican Louisiana Sen. John Kennedy during a Tuesday hearing.
Zatko, the company’s former head of security, first came to Congress with concerns that Twitter employees could access sensitive data without oversight in July. He also alleged that foreign spies were operating within the company, and that Twitter executives misrepresented the scope of the problem to its Board of Directors.
Twitter collects the “the phone number,” “the latest IP address they have connected from,” “the current email, how long have they been using that email account, what are their prior emails,” “where do we think they live, where do we think they are connected from right now, are they still connected or actively using the information, what type of device are they connected with, what type of web browser are they using, which brand is it, possibly which computer, what language did they connect in?” among other information, Zatko explained to Kennedy.
Any Twitter engineer can access that information, Zatko continued, and the company receives little to no indication that the engineer has done so.
“So this engineer, who can secretly go into Sen. Grassley’s account and get all this information, Twitter has no idea what the hell that engineer is going to do with that information?” Kennedy asked. “So that engineer at Twitter could sell it, for example, couldn’t he?”
“I’ve seen numerous accounts on underground forums offering to sell such access, whether those accounts are valid or not. But I’ve seen the offers to sell access to accounts, to delete accounts, to un-ban accounts,” Zatko answered.
“That engineer could just call one of his buddies and say, ‘hey, you don’t like Sen. Grassley. Let me give you some information here and you can use it against him.’ Could that happen?” Kennedy continued.
“With the access that they have,” Zatko nodded.
“Would Twitter know that they did that?” Kennedy followed up.
“Not necessarily,” Zatko acknowledged. (RELATED: Twitter Paid Whistleblower $7 Million For His Silence)
Zatko came to the committee with concerns that a Chinese spy was operating within the company, Senate Judiciary Committee ranking member Chuck Grassley of Iowa said in his opening remarks. Ahmad Abouammo, a former Twitter account manager, was convicted in August of failing to register as a Saudi foreign agent, as well as money laundering. Abouammo received a luxury watch and was wired three payments of $100,000 each.
The whistleblower added that he had to explain these security concerns to former CEO Jack Dorsey when he was first hired, since Dorsey did not understand. Twitter did not fix the issues before Zatko left, he added, since the company “had other priorities.”
“It would cost them money, wouldn’t it?” Kennedy finished.
“Yes,” Zatko responded.