Twitter finally broke its silence over the first security incident of the Musk era: an alleged data breach that exposed the contact information of millions of users.
In late December, a poster on a popular cybercrime forum claimed to have scraped the email addresses and phone numbers of 400 million Twitter users by way of a zero-day security flaw in Twitter’s systems, previously blamed for exposing at least 5 million Twitter accounts before it was fixed in January 2022. The subsequent sale of another, smaller dataset containing the email addresses associated with more than 235 million Twitter accounts is said to be a cleaned-up version of the alleged dataset of 400 million Twitter users. Researchers warned that the email addresses, which included the details of politicians, journalists and public figures, could be used to dox pseudonymous accounts.
Twitter, or what’s left of the company, addressed the situation last week.
In an unattributed blog post, Twitter said it had conducted a “thorough investigation” and found “no evidence” that the data sold online was obtained by exploiting a vulnerability of Twitter’s systems. An absence of evidence, however, is not vindication, as it’s unclear if Twitter has the technical means, such as logs, to determine if any user data was exfiltrated. Rather, the company said that hackers had likely been circulating a collection of data pulled from past breaches and said the data did not correlate to any of the data obtained by way of exploiting the bug that was fixed in January 2022.
What Twitter is saying may very well be true, but it’s difficult to have confidence in the company’s statement. Twitter’s erratic response raises many of the same questions that regulators will want to know: Who was tasked with investigating this breach, and does Twitter have the resources to do a thorough job?
An important lesson in what not to do
Twitter’s statement, even taken at face value, does serve at least one purpose: It’s a useful illustration of how not to respond to a data breach. Aside from its week-long delay, Twitter fails to explain the steps it took during its purportedly “thorough” investigation, as well as what it plans to do to ensure it doesn’t fall victim to a similar event in the future.
For startups on a mission to avoid making the same mistakes and running afoul of the watchful eyes of U.S. regulators: Watch what Musk-led Twitter is doing, and do the opposite.
Twitter — and separately, Elon Musk — has been under regulatory scrutiny for years, and this scrutiny only looks to become more intense given the social network’s frenetic overhaul under its new, equally frenetic owner.
For starters, mass layoffs at Twitter since Musk’s takeover — and his apparent lackadaisical attitude toward said layoffs — have sparked concerns that the social media giant may fail to abide by a May 2022 settlement with the U.S. Federal Trade Commission in which the company agreed to improve its privacy practices. As a result of the settlement, Twitter agreed to pay a $150 million penalty for targeting advertising toward users whose phone numbers and email addresses were collected when enabling two-factor authentication. The FTC said the ad targeting violated the terms of Twitter’s 2011 settlement with the FTC, which “explicitly prohibited the company from misrepresenting its privacy and security practices.”
Sources familiar with the matter have also told TechCrunch that, under Musk’s mercurial leadership, Twitter risks falling foul of European regulators. If the company is no longer fulfilling key obligations required for it to claim Ireland as its so-called “main establishment” under Europe’s data and privacy rules, it could open up Twitter to greater scrutiny by regulators from individual EU member states.
The concerns have been heightened by the apparent disbanding of Twitter’s security team in recent months. Shortly after Musk completed his $44 billion purchase of the company, Twitter’s most senior cybersecurity leader, CISO Lea Kissner, announced their departure, which was immediately followed by the resignation of Twitter’s chief privacy officer, Damien Kieran, and chief compliance officer, Marianne Fogarty. Shortly after, the Musk-controlled company disbanded its Trust and Safety Council.
It’s not yet clear whether any adequately qualified individuals will be willing to step into these critical compliance roles for privacy and security at Twitter given the current state of affairs. What’s more, it’s become clear that even when Twitter had a full-fledged security team, it was lacking the cybersecurity basics: Twitter’s former head of security, Peiter “Mudge” Zatko, has accused the company of lacking basic security controls, such as firewalls and automatic security fixes, and of covering up “egregious deficiencies” in its cybersecurity defenses.
Since Musk entered Twitter HQ, the company has laid off half of its staff since October, and reports suggest hundreds more left the company after Musk demanded that they commit to an “extremely hardcore” work environment where employees were told to expect longer hours and higher intensity.
As if to give non-billionaire startup owners yet more lessons in how to elicit regulatory scrutiny, Musk-controlled Twitter has also reportedly asked engineers to “self-certify” compliance with FTC rules and decided that moderation policies will be dependent on what side of the bed Musk wakes up on.
The FTC said last month that it was tracking recent developments at Twitter with “deep concern,” adding: “No CEO or company is above the law, and companies must follow our consent decrees.”
The erratic state of Twitter not only gives future startup leaders rare insight into how to stay on the right side of security regulators, but it also teaches another critical lesson: the importance of cash flow. Musk accomplished an impressive feat, taking the top spot for the largest amount of money lost by a single person — between $180 billion and $200 billion since November 2021, according to Guinness World Records.
TechCrunch contacted Twitter for comment on this story but did not hear back; Musk also disbanded the company’s communications team.