A lawmaker is raising concerns about Twitter's “astonishing” history of security failures, as well as its “alarming” response to last month's account hijackings.
“Though the sheer number of security breaches of high-profile Twitter accounts is astonishing, perhaps more astonishing is the relative unsophisticated nature of each breach,” Rep. James Comer (R-Kentucky), a ranking member of the House Committee on Oversight and Reform, says in a letter sent Tuesday to Twitter CEO Jack Dorsey.
Comer cites three incidents that occurred in the last three years.
In 2017, an employee deleted the @realDonaldTrump account. Last year, Dorsey's own Twitter account was hacked. And last month, a hacker -- allegedly just 17 years old -- gained access to the accounts of Elon Musk, Jeff Bezos, former President Barack Obama and other high-profile users of the platform.
“Such easy access to Twitter’s internal controls is emblematic of the cavalier nature with which the company takes its security,” Comer writes.
“Even more alarming is Twitter’s response to last month’s breach,” the lawmaker writes.
“Twitter blamed the breach on individuals exploiting employees 'working from home,'” Comer adds. “Despite the fact Twitter employees may be working from home forever, your staff said Twitter is 'not in a post-mortem state to talk about changes' the company is thinking about making regarding additional security measures.”
The letter comes shortly after Twitter provided a briefing on Capitol Hill about security issues.
Comer says that during the briefing, Twitter “was unable to answer even basic questions about employee access to user accounts and Twitter’s arrangement with its contractors.”
Comer adds that the committee is especially concerned that Twitter employees and contractors know users' locations and IP addresses.
“If true, any possible abuse or breach of this access has grave implications given that hundreds of world leaders, business elites, and other high-profile persons of interest frequently use Twitter to communicate with the public,” he writes. “The damage a malicious nation-state could do if they were to devote resources towards compromising Twitter’s security could be grave.”
He is asking Dorsey to provide a host of detailed information by August 18.
Among other items, Comer is seeking a list of employees and contractors who can reset Twitter user passwords, or have “user level access” to accounts.