Headline
Here’s How Bad a Twitter Mega-Breach Would Be
Elon Musk laid off half the staff, and mass resignations seem likely. If nobody’s there to protect the fort, what’s the worst that could happen?
In the Weeks since Elon Musk was forced to complete his acquisition of Twitter for $44 billion, the social network has been in a state of dramatic upheaval. Musk laid off more than half its workforce and fired more via public tweets. Digital infrastructure went on the fritz. And today, a reported 75 percent of staff refused to sign a pledge to work “long hours at high intensity," ostensibly triggering their resignations. It’s now unclear who still works at Twitter.
In short, all hell is breaking loose at the bird site.
As the chaos mounts, one consequence inside the company could be less attention on digital security monitoring and fewer dedicated staffers working to defend Twitter from cyberattacks. And that could put the company and its users at increased risk of a massive data breach or other security incident.
The possibility of a Twitter breach is particularly worrying given a whistleblower report and congressional testimony this summer from Twitter’s former chief security officer, Peiter Zatko, that alleged an already dire state of the company’s internal defenses and access controls. In other words, the company already seemingly had security issues before Musk took over—and the situation may have gotten worse since.
The good news is that, unlike the credit bureau Equifax or Sony Pictures—both of which suffered breaches of incredibly sensitive user or internal information in the past eight years—Twitter doesn’t broadly collect or store government-issued identity data like Social Security numbers, doesn’t hold financial information about most of its users, and doesn’t require users to input data like street addresses or birth dates. Plus, while not all tweets are shared publicly, most are. Yet Twitter still holds a vast and potentially extremely valuable trove of user data, including the contents of their direct messages and the social graph of who users have communicated and interacted with on the platform, as well as phone numbers, email addresses, and other potentially private details. Users can also opt into location-sharing in tweets, and the company has collected different user information at different times over the years, which could mean it holds more than you realize.
Users also have limited ability to delete their direct messages on Twitter. The chat platform offers the option to “Delete for You,” meaning you can delete messages in your own account, but you can’t delete them for the users with whom you are DM’ing. And in general, Twitter has not stated firmly what its practices are with regard to deleting user data even when they deactivate their accounts. Twitter’s policy on account deactivation simply says, “If you do not log back into your account for the 30 days following the deactivation, your account will be permanently deactivated. Once permanently deactivated, all information associated with your account is no longer available in our Production Tools.” Given that no form of the word “delete” appears there, it’s difficult to parse the true meaning of the policy.
Twitter did not return multiple requests for comment from WIRED about data deletion. Relatedly, the company’s entire communications department has reportedly been let go.
Security researchers and incident responders emphasize, though, that a breach of Twitter’s infrastructure or a data leak wouldn’t necessarily focus on impacting users but could also reveal sensitive company information. And malicious control of Twitter’s infrastructure could be weaponized in a number of ways to spread disinformation, stoke conflict, or even hijack Twitter’s mobile apps.
“Twitter has seemingly neglected security for a very long time, and with all the changes, there is risk for sure,” says David Kennedy, CEO of the incident response firm TrustedSec, who formerly worked at the NSA and with the United States Marine Corps signal intelligence unit. “There’s a lot of work to be done to stabilize and secure the platform, and there is definitely an elevated risk from a malicious insider perspective due to all the changes occurring. As time passes, the probability of an incident lowers, but the security risks and technology debt are still there.”
A breach of Twitter could expose the company or users in myriad ways. Of particular concern would be an incident that endangers users who are activists, dissidents, or journalists under a repressive regime. With more than 230 million users, a Twitter breach would also have far-reaching potential consequences for identity theft, harassment, and other harm to users around the world. And from a government intelligence perspective, the data has already proved valuable enough over the years to motivate government spies to infiltrate the company, a threat the whistleblower Zatko said Twitter was not prepared to counter.
The company was already under scrutiny from the US Federal Trade Commission for past practices, and on Thursday, seven Democratic senators called on the FTC to investigate whether “reported changes to internal reviews and data security practices” at Twitter violated the terms of a 2011 settlement between Twitter and the FTC over past data mishandling.
Were a breach to happen, the details would, of course, dictate the consequences for users, Twitter, and Musk. But the outspoken billionaire may want to note that, at the end of October, the FTC issued an order against the online delivery service Drizly along with personal sanctions against its CEO, James Cory Rellas, after the company exposed the data of roughly 2.5 million users. The order requires the company to have stricter policies on deleting information and to minimize data collection and retention, while also requiring the same from Cory Rellas at any future companies he works for.
Speaking broadly about the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, Rob Silvers, undersecretary for policy at the Department of Homeland Security, urged vigilance from companies and other organizations. “I wouldn’t get too complacent. We see enough attempted intrusions and successful intrusions every day that we are not letting our guard down even a little bit,” he said. “Defense matters, resilience matters in this space.”
Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group who worked in Twitter security from 2011 to 2012, points out that while current chaos and understaffing within the company does create pressing potential risks, it also could pose challenges to attackers who might have difficulty in this moment mapping the organization to target employees who likely have strategic access or control within the company. He adds, though, that the stakes are high because of Twitter’s scale and reach around the world.
“If there are insiders left within Twitter or someone breaches Twitter, there’s probably not a lot standing in their way from doing whatever they want—you have an environment where there may not be a lot of defenders left,” he says.