To All Twitter Users:
This past week, you may have noticed that Twitter had a cyber incident. While we understand the seriousness of the event, we are relieved to share that no one died, our service is still up, and only twelve bitcoins were lost. So that is the good news. But sadly, everything else about this incident is bad. Below I will explain what we did wrong:
First, we have not been able to maintain stable leadership of our security program, with two of our CISOs quitting in the past three years. Worse, we have been without experienced security leadership during the past six months, at a time when our platform was being used to share national security and pandemic-related information. We know this is shameful.
Second, while we have a capable engineering staff that understands the specifics of modern cyber security technology, we forgot to implement the boring stuff – namely, the least privilege controls, segregation of duty policies, and multi-person control procedures. As a young company, we do not like bureaucracy, but in retrospect, this was a mistake.
The biggest mistake, however, was ignoring our obligation to define and prevent our worst case security situation – namely, that someone would take over important accounts. Leaving an accessible tool that allowed staff to takeover Twitter accounts was like leaving a gun on a playground. We know this was irresponsible – and we are deeply ashamed.
We are announcing today a three-point program to fix our security: To start, we will create an advisory program of experienced professionals to review our program top-to-bottom and recommend enhancements to me. Second, I have set aside unlimited budget for our team to create the policies, procedures, and infrastructure needed to fix our security.
The third and toughest action, however, is this: I hereby announce that no one should trust any information from any Twitter account until we get our security under control. If, for example, a Tweet directs you to evacuate a city, drink bleach, or take some other rash action, then you must ignore. (And this includes Tweets from you-know-who.)
To summarize, we are embarrassed by this irresponsible cyber security breach, and we will do everything under our control to regain your trust in the coming years.