Twitter's Former Security Chief Filed an 84-Page Federal Complaint Accusing the Company of Hiding Security Failures From Regulators
Peiter Zatko says Twitter misled a federal watchdog, left half its servers unprotected, and may have foreign spies on staff. Twitter calls him a disgruntled ex-employee. Congress says it wants answers.

Key points
- Peiter "Mudge" Zatko, Twitter's former head of security, filed an 84-page whistleblower complaint with U.S. federal authorities in July 2022.
- Zatko alleges Twitter is out of compliance with a 2010 Federal Trade Commission order — a legally binding government settlement requiring the company to protect users' personal data.
- The complaint claims nearly half of Twitter's servers lack basic data encryption, meaning information stored on them is not scrambled against unauthorized access.
- At least one Twitter employee may have been working for a foreign intelligence service, according to the filing.
- Senate Judiciary Committee Chair Richard Durbin confirmed a congressional investigation into the disclosure on August 23, 2022.
Peiter Zatko is not a typical disgruntled employee. Known in security circles by the handle "Mudge," he spent roughly 15 months as Twitter's top security executive before the company fired him in early 2022. He is a widely respected white-hat hacker — someone paid to find and fix security weaknesses rather than exploit them. Last month he submitted an 84-page formal complaint to U.S. federal agencies, first reported by Threatpost, and what it describes is striking.
The complaint's central legal claim is that Twitter has been violating a 2010 consent order issued by the Federal Trade Commission — the FTC, the U.S. government agency that polices companies' privacy promises. That order, still in force, requires Twitter to run a rigorous internal program to protect users' personal information and to submit to independent audits of that program. Zatko alleges Twitter lied to those independent auditors and has never truly complied.
What does this mean for ordinary Twitter users?
If Zatko's account is accurate, your data on Twitter may be far less protected than the company has told regulators. The complaint says Twitter does not delete your personal information when you request it, because of technical limitations inside the company's own systems. It also says that nearly half of Twitter's servers run outdated or unpatched software and lack encryption — the technology that scrambles stored data so that even someone who steals it cannot easily read it.
For everyday users, the practical step is straightforward: treat anything you have ever shared with Twitter — your phone number, email address, location data — as information that may not be fully under the company's control.
The national-security dimension of the filing is what drew bipartisan attention from lawmakers. Zatko claims one or more Twitter employees may have been secretly working for foreign intelligence services. He also alleges foreign governments were allowed to access, monitor, and in some cases censor the platform's internal operations and staff. He argues these two facts together elevate his concerns well beyond a typical privacy dispute.
Twitter's response has been pointed. Chief Executive Parag Agrawal told staff in an internal letter that Zatko's account is "a false narrative riddled with inconsistencies and inaccuracies, and presented without important context." The company describes Zatko as a poor-performing leader who was dismissed and is now deflecting blame.
Congress is not waiting for that dispute to settle. Senator Richard Durbin, who chairs the Senate Judiciary Committee — the Senate panel that oversees federal law enforcement and the judiciary — said on August 23 that he had opened an investigation into the disclosure. Both Democrats and Republicans have signaled interest in holding hearings.
The complaint also lands in the middle of Elon Musk's legal attempt to walk away from his $44 billion deal to buy Twitter. Musk has argued that Twitter's figures on fake — or "bot" — accounts are unreliable. Zatko's filing states that Twitter lacks the technical ability to count those accounts accurately, which hands Musk's legal team a potentially useful data point.
No enforcement action has been announced. The FTC has not commented publicly on the complaint.



