Nov 29, 2022 - Technology

Breaking down the cybersecurity risks at Elon Musk's Twitter

Illustration of the twitter bird logo as an open padlock

Illustration: Sarah Grillo/Axios

A massive Twitter staff exodus in the first month of Elon Musk's ownership is only exacerbating the company's long list of existing data security problems, experts tell Axios.

Why it matters: While Twitter's list of cybersecurity challenges hasn't appeared to change yet, dwindling staff numbers mean the company could struggle to fix security flaws or respond in the event of a massive hack.

The big picture: Twitter already had a troubled history of data breaches, account takeovers and poor internal cybersecurity hygiene.

  • Earlier this year, former Twitter CISO Peiter "Mudge" Zatko filed a whistleblower complaint detailing the extent of Twitter's security problems, from a lack of employee access controls to a company culture that failed to take cybersecurity seriously.
  • In 2020, a 22-year-old hacker broke into Twitter and took over accounts belonging to then-presidential candidate Joe Biden, former President Barack Obama and Musk himself.

Between the lines: Cybersecurity alarm bells in the last month mostly stem from reports of the company's quickly shrinking staff numbers rather than new and emerging threats.

  • But without a full security team, it's hard to see how the company can respond quickly to patch vulnerabilities in its systems or a massive data breach of its systems, says Erick Galinkin, an analyst at cybersecurity company Rapid7.
  • Glitches have already started at Twitter, presumably due to low staff levels, including a bug that broke Twitter's multifactor authentication tool shortly after the latest employee exodus.

Threat level: Experts have anticipated that ongoing turbulence at Twitter will only motivate more hackers and scammers to target the company and its users.

  • Most data breaches would affect data that's likely already floating around on the dark web from past hacks, including email addresses, passwords and birthdates.
  • Twitter doesn't collect someone's most sensitive information, such as their Social Security number, and it has financial information only for Twitter Blue subscribers.

Yes, but: Hackers and Twitter employees could potentially learn a lot from someone's private direct messages depending on what information is shared.

  • Some users may have shared personal information in what they perceived as secure private messages, for example.
  • It's likely more hackers will be newly motivated to "leak every Twitter DM" just to embarrass Musk's leadership, Galinkin says.

What's next: Musk appears to be trying to create a slightly more secure Twitter based on his reported plans to encrypt direct messages and support encrypted video and voice calling between accounts, as The Verge reports. But it's unclear how quickly those plans will come to fruition, especially with a smaller staff.

  • Security could become an even bigger priority as Musk pushes to grow subscriber numbers and pursues projects to support in-app payments.
  • Twitter is likely to face further regulatory pressure to improve its internal security practices as the Federal Trade Commission watches Musk's takeover unfold.
  • Twitter did not respond to a request for comment.

Be smart: While the data security concerns at Twitter are nothing new, they do serve as a reminder to be mindful of what you share on the internet.

  • "You don't need to be any more worried than you should have been a month ago," Galinkin says.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper