Twitter Inc.’s security lapses were so grave that they threatened national security, the company’s former head of security-turned-whistle-blower told senators on Tuesday. 

Speaking before the Senate Judiciary Committee, Peiter Zatko, also known by his hacker name “Mudge,” said Twitter was a decade behind necessary security upgrades, which he described as a “ticking bomb of security vulnerabilities.”

“Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security,” Zatko said in the hearing. 

He also said the company’s leadership “repeatedly covered up its security failures by duping regulators and lying to users and investors.”

Zatko, 51, first testified before Congress in 1998, warning a Senate committee about fundamental weaknesses in the internet’s infrastructure. He then went on to work at US Defense Advanced Research Projects Agency, Alphabet Inc.’s Google and the payment service Stripe Inc. before being hired by Twitter founder and former CEO Jack Dorsey in 2020 to help address security concerns.

He was fired in January 2022 over what the company said were performance shortcomings.

His claims come as Twitter prepares to go to court to force Tesla Inc. CEO Elon Musk to complete a $44 billion deal to buy the company. Zatko’s allegations, especially about the prevalence of automated accounts known as bots, are likely to feature prominently in the Oct. 17 trial in a Delaware court. 

Lawmakers raised concerns in particular about Mudge’s allegations that Twitter has allowed foreign agents to operate on its payroll and acquiesced to the demands of adversaries like China. Judiciary Chairman Dick Durbin, a Democrat from Illinois, compared users trusting Twitter to safeguard their data as they might trust a bank—but “at Twitter the vault is wide open,” he said. 

“Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities,” Durbin said in his opening statement. 

Iowa Senator Chuck Grassley, the committee’s top Republican, said Mudge’s disclosures “paint a disturbing picture of a company that’s solely focused on profits at any expense.” 

Grassley said Twitter CEO Parag Agrawal was invited to Tuesday’s hearing to respond to the allegations, but declined because he claimed it could interfere with the ongoing litigation with Musk. “The business of this committee, and protecting Americans from foreign influence, is more important than Twitter’s civil litigation in Delaware,” Grassley said, adding that Agrawal should step down from Twitter if the allegations are true.

There is bipartisan support for new internet regulation to protect user privacy and security, but current proposals have failed to gain much traction as Congress focuses on other priorities. 

One proposal, the American Data Privacy and Protection Act, was approved by the House Energy and Commerce Committee earlier this year on a bipartisan vote and received some support in the Senate, but it has stalled amid opposition from House leadership. 

Several members of the Senate Judiciary Committee have either introduced or co-sponsored their own privacy bills, including the Kids Online Safety Act from Connecticut Democrat Richard Blumenthal and the Plat­form Account­ab­il­ity and Trans­par­ency Act from Minnesota Democrat Amy Klobuchar and Delaware Democrat Chris Coons, but they have not received floor votes in the Senate. 

—Bloomberg News