Several people warned Twitter CEO Jack Dorsey about oversight of the contractors and employees who are able to override users’ security settings since 2015, Bloomberg News reported, citing former employees with knowledge of security protocols.
While the concerns came to the forefront this month, after 130 high-profile users’ accounts were hacked and used to promote a cryptocurrency scam, the security flaws have existed for years, to the point that in 2017 and 2018, some contractors deliberately looked into celebrity accounts, including Beyonce’s, under the guise of help-desk inquiries.
The people behind this month’s hack reportedly reached at least one company employee by phone to gain access to security information that in turn gave them access to Twitter internal user-support tools, people familiar with the investigation told the publication.
The company last week began requiring all employees to take an online security training course outlining common phishing techniques, and a spokesperson told the publication it regularly conducts security training “in line with our commitment to protecting the privacy and security of the people we serve.”
This week, Dorsey reportedly told investors Twitter “fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools,” according to the publication.
Former security employees told the publication that Twitter management has failed to manage support staff and contractors’ access to sensitive information, leading contractors to find ways of accessing the data of everyone from celebrities to exes.
People have brought these concerns to the company’s board of directors nearly every year between 2015 and 2019 only for them to go unaddressed in favor of products that stood a better chance of enhancing revenue, according to two former security officials.
“Very few companies understand how vulnerable their operations are to compromise as they expand outside of their headquarters,” Paul Ortiz, a supply chain security consultant, told the publication. “This risk exponentially increases if third-party contract workers are introduced into the equation.”
The Hill has reached out to Twitter for comment.