According to documents relayed by congressional investigators, Zatko, a well-known hacker known as "Mudge," claimed in an 84-page complaint that Twitter falsely claimed it had a solid security plan. Twitter's stock dropped 7.3% to close at $39.86.
According to the document, Twitter prioritized user growth over spam reduction, with executives eligible for individual bonuses of up to $10 million tied to increases in daily users and nothing explicitly for spam reduction.
The complaint was labeled a "false narrative" by Twitter. The social media company has been in court with Elon Musk after the world's richest person attempted to back out of a $44 billion deal to buy Twitter. Musk claimed that it did not provide information about the prevalence of bot and spam accounts.
Tesla Inc CEO Elon Musk had offered to buy Twitter for $54.20 per share, claiming that it could become a global platform for free speech.
Twitter and Musk have filed lawsuits against each other, with Twitter asking a Delaware Court of Chancery judge to order Musk to close the deal. A trial is set for October 17.
Zatko filed the complaint with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission last month (FTC). The complaint was also forwarded to various congressional committees.
"We are reviewing the redacted claims that have been published, but what we have seen thus far is a false narrative riddled with inconsistencies and inaccuracies," Twitter CEO Parag Agrawal wrote in a memo to employees.
The top Republican on the Senate Judiciary Committee, Chuck Grassley, said the complaint raised serious national security and privacy concerns that needed to be investigated.
"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda," he said.
The FTC did not respond. The Senate Intelligence Committee, according to a spokesperson, had received the complaint and was planning a meeting to discuss the allegation.
According to Howard Fischer, a partner at Moses & Singer and a former SEC attorney, Twitter's real regulatory risk is whether the documentary evidence shows "knowing or reckless misleading" of investors or regulators.
'GIVE A LITTLE WHISTLE'
Musk could not be reached for comment, but he reacted on Twitter with robot memes and emoji. Musk's legal team has subpoenaed Zatko, according to CNN, following the whistleblower disclosure.
Since the 1990s, when he was credited with inventing a password cracking tool, American hackers have admired Zatko. He later used his hacking skills to become a sought-after security consultant before transitioning to top government and boardroom positions alongside other rebellious techies of the time.
According to the whistleblower document, the incoming Biden administration offered him "a day-one appointed position as Chief Information Security Officer for the United States" following the Jan. 6 riots, which he declined.
Cybersecurity leaders overwhelmingly supported Zatko, and many criticized Twitter's reaction to his revelations.
On Twitter, Robert Lee, founder of industrial cybersecurity firm Dragos, said it was "one of the very rare times based on who it is I don't even need to know a detail to form an opinion." "If Mudge makes this kind of claim, it deserves to be investigated."
Twitter announced in January that Zatko was no longer its head of security, two years after he was appointed to the position.
On Tuesday, a Twitter spokesperson said Zatko was fired for "ineffective leadership and poor performance," adding that his allegations appeared to be intended to garner attention and harm Twitter, its customers, and shareholders.
According to Zatko's attorneys, Debra Katz and Alexis Ronickher, throughout his tenure at Twitter, he repeatedly raised concerns about inadequate information security systems to the company's executive committee, CEO, and board. A request for comment on that statement was not responded to by Twitter.