On Tuesday, Twitter’s ex-security lead turned whistleblower Peiter Zatko testified to the Senate Judiciary Committee. 

Here’s what his insider information revealed about the social media giant.

According to the FBI, Twitter is home to a Chinese spy

In his opening remarks, Sen. Chuck Grassley, the ranking member of the Senate Judiciary Committee, said that the FBI warned Twitter it might be housing a Chinese spy.

Mudge told the panel that the spy was an agent of China’s Ministry of State Security, or MSS, the country’s main intelligence agency. He added that India also “succeeded in placing agents on the company payroll” who were granted “direct unsupervised access to the company’s systems and user data.”

Last month, a former Twitter employee was found guilty of spying for the Saudi government, leaking the user data of suspected dissidents.

Thousands of weekly attempts to hack Twitter

Mudge said that the system tracking logins for Twitter engineers, who had unlimited access to company data, including personal user information and other sensitive company information, recorded as many as 3,000 failed login attempts each day.

Parag Agrawal, Twitter’s chief technology officer at the time, did not assign anyone to diagnose or fix the issue.

Mudge testified: “This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure, the engineering, and the engineers not being given the ability to put things in place to modernize.” 

What Twitter really knows about its users

According to Mudge, even Twitter does not fully understand the scale of the data it collects, which includes: a user’s phone number, the current and past IP addresses that the user is connecting from, current and past email addresses, the person’s approximate location based on IP addresses, and information about the person’s device or browser they are accessing Twitter from, such as the make and model, and the user’s language.

Information like this, which “might be used with other data collection”, could help governments to target particular groups for charges such as dissidence and incitement, or ultimately be used for their harassment.

It can also be misused by the company, which was previously accused by the FTC of breaching a 2011 order explicitly prohibiting the company from misrepresenting its privacy and security practices, as well as passing user personal information it had collected during sign-up to advertisers without their explicit consent.

Lina Khan, who chairs the FTC, explained: “As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads.” 

U.S. government agencies are too lax

Mudge accused the FTC of being a “little over its head”, allowing companies to “grade their own homework.”

Referencing the 2011 privacy agreement, Mudge asked, “How [has Twitter] been passing this?”

He then added, “what I have seen, the tools in the toolbelt are not working.”

On the same day that Mudge made his statement, the majority of Twitter’s shareholders voted in support of Elon Musk’s $44 billion buyout bid. Musk, who was keen on the offer, is now looking for ways to get out of it.