Twitter's whistleblower testifies before Senate committee

Twitter on Tuesday afternoon responded to Zatko's testimony by reiterating a statement it made after his disclosure was initially made public.

The spokesperson added that the company's hiring process is independent of foreign influence, and that access to internal company data is managed through measures such as background checks, access controls and monitoring systems.

The company declined to respond directly to a list of specific allegations by Zatko, including about the company's purported inability to detect whether foreign agents are on its payroll and claims that the FBI has warned Twitter it may have had at least one Chinese agent in the company.

Zatko's hearing showed the extent to which Twitter may be vulnerable to foreign exploitation, making his testimony "really significant," Sen. Josh Hawley told CNN on Tuesday.

Some of Zatko's most concerning allegations, Hawley said, were that Twitter's now-CEO, Parag Agrawal, had proposed making concessions to Russia's government and that Twitter may be providing Chinese entities with information that could be used to unmask people within China who may be illegally accessing Twitter, Hawley said.

There is also no reason to believe Twitter has meaningfully addressed a US government tip about a Chinese intelligence agent on Twitter's payroll, another of Zatko's explosive allegations, Hawley said.

"Nothing [Zatko] said today allays concerns on that score," Hawley told CNN.

In his testimony Tuesday, Peiter Zatko misspoke when he told Sen. Jon Ossoff that Twitter had accidentally leaked the personal information of 50 million employees, according to Whistleblower Aid, the organization providing Zatko with legal representation.

"The 50 million number was a misstatement, and Mudge will issue a correction to the committee," said John Tye, Zatko's attorney and founder of Whistleblower Aid. The correct number, he added, is reflected in Zatko's original disclosure to the US government.

That filing claims that 20,000, not 50 million, current and former Twitter employees have been affected by data leaks involving the company.

During Tuesday's hearing, Zatko had claimed that an internal incident report showed 50 million employees being affected by such breaches, and that Zatko was confused by the figure because Twitter does not have 50 million employees, but does hold extensive records on current and former employees that it does not delete.

Twitter has previously said it has about 7,000 current employees.

Twitter shareholders on Tuesday voted in favor of Musk's $44 billion takeover deal, a value of $54.20 per share. The company's stock opened Tuesday at just under $41 per share, nearly 25% below the deal price. 

The vote came days after Musk's third letter to Twitter seeking to terminate their deal, with this one pegged to a purported $7.75 million severance payment the company made to its former head of security, Peiter Zatko, who later blew the whistle about its alleged security and privacy vulnerabilities.

The outcome of the vote was announced shortly after Zatko concluded testifying on Capitol Hill.

In a wide-ranging hearing that lasted more than two hours, Twitter whistleblower Peiter Zatko told lawmakers about a range of concerns he has about the company.

Here are some of the highlights:

Twitter did not immediately respond to requests for comment from CNN about many of Zatko's allegations.

Peiter Zatko testified that due to its poor security posture, it was possible for Twitter engineers to tweet from other users’ accounts, including those of lawmakers -- though he never saw an employee do so.

“I have seen numerous situations where Twitter engineers had to patch a problem and I said, ‘what was the problem?’ and they said, ‘oh, engineers could tweet as anybody, the data was exposed in this part,’” Zatko said. “It was always reactionary in finding these wounds left and right and putting bandaids on them because the systemic underlying problems were not addressed."

He added: “A Twitter engineer, understanding how the running systems and the data flows were operating could then access and inject, or put forward, information as … any of the senators sitting here today.” 

Zatko said he never saw such a thing happening during his time at the company but added “I am concerned” that it may have happened previously. 

Sen. Lindsay Graham hinted at Elon Musk's bid to buy — and then get out of buying — Twitter when he asked whistleblower Peiter Zatko whether he would buy the company, given what he knows.

Zatko laughed and then responded, "I guess that depended on the price."

Sen. Lindsey Graham asked former Twitter security chief Peiter “Mudge” Zatko if he would recommend that Twitter users continue to use the social media platform given the information he has offered in his whistleblower disclosures and his testimony Tuesday.

Graham offered, "You're not asking to shut them down, you're asking them to get better?"

“Absolutely, sir,” Zatko replied.

Peiter “Mudge” Zatko alleged in his whistleblower disclosures and in his testimony on Tuesday that Twitter may have foreign spies currently on its payroll. He said there may be a number of reasons why governments would try to place agents in the company's ranks.

Among the reasons, he said, it would serve "not just to identify people of interest or track groups of interest, but also to maybe look at whether Twitter has identified your agents or your information operations [and] what other governments has Twitter possibly identified."

"Remember, outside of the ability to access large amounts of data on the engineering side you would want to know what Twitter’s plan is as far whether they will cede to your demands for control of information within their environments or not in order to change different types of political pressures, such as strongarming," he said.