SEC Probes Twitter Security Lapse Before Elon Musk Took Over

The Securities and Exchange Commission is investigating how Twitter Inc. managed a 2018 security lapse that exposed personal user information before billionaire Elon Musk bought the social media platform last year. The agency has been scrutinizing whether the former top executives failed to adequately disclose those privacy issues to shareholders or put in place proper controls, according to people familiar with the matter who asked not to be identified discussing a confidential investigation. A bug on the social media platform had let outsiders view user email addresses during password resets, which revealed the identity of users, said one of the people.

The executives in charge at the time included Twitter's former Chief Financial Officer Ned Segal and former Chief Technology Officer Parag Agrawal, who became chief executive officer in 2021 after co-founder Jack Dorsey left the company. Dorsey was CEO in 2018.

It isn't clear whether an enforcement action will result from the review or when it will wrap up, the people said. None of the former executives has been accused of any wrongdoing.

Agrawal and Segal were ousted last year after Musk purchased the company for $44 billion. Musk, who changed the platform's name to X Corp., hired an outside law firm to do an internal investigation of complaints about lax computer-security measures at the company after he took over.

The SEC and a spokesman for Segal declined to comment. Spokespeople for X Corp. and Dorsey and a lawyer for Agrawal didn't respond to requests for comment.

Twitter suffered several security breaches in 2018, including discovery of a computer virus that left users' passwords exposed and a security flaw in Twitter's system that made it possible to identify the country codes of Twitter users' phone numbers. That misstep may have allowed wrongdoers to identify countries where accounts were based.

The SEC has been probing the actions of players in Musk's controversial buyout of Twitter for months after questions arose about management of the social-media firm and the billionaire's moves in acquiring it. The agency sued Musk Thursday seeking to force him to testify about whether his actions in the run-up to his Twitter buyout bid violated securities laws. Musk attorney Alex Spiro responded to that case saying that the SEC has already taken his testimony multiple times in that investigation.

The 2018 security issues around user information came up as part of the fight over Musk's effort to cancel his buyout of the social-media platform last year. Musk argued the firm was riddled with operational problems, including a failure to properly safeguard customers' data. The company has suffered more than a half-dozen hacks or security issues since 2018.

Peiter Zatko, Twitter's ex-head of security, alerted US authorities to “egregious deficiencies” in the company's defenses against hackers, according to a lawsuit he filed against the company last year. Zatko, who was fired from Twitter last year, said he raised concerns about data breaches and the number of computer bots the company was counting among its customer base that were dismissed by colleagues. Twitter rejected the claims, describing them as a false narrative and said he was fired for ineffective leadership and poor performance.

Musk pointed to those concerns in arguing he should be able to walk away from his $54.20-per-share offer, but later agreed to go through with the deal at the original price.

Twitter officials have acknowledged in the past they've been contacted by the US Federal Trade Commission and SEC about the operational miscues along with some of Musk's actions in connection with the buyout. No formal charges or lawsuits have been brought over moves by Musk or Twitter executives made during the acquisition. The company has drawn regulatory scrutiny over its privacy protections and is bound by a consent decree with the FTC, which requires greater oversight.

Last year, the social media giant agreed to pay $150 million to settle FTC allegations that it misused users' phone numbers to target advertising in breach of the consent decree. The agency has also been digging into the social media giant's privacy and data security practices following Musk's takeover.

The jousting between Musk and Twitter's former top executives has stretched to the legal fees they've racked up defending themselves in congressional and other investigations. A Delaware judge last week ordered X officials to pay $1.1 million in legal bills covering Agrawal, Segal and ex-Chief Legal Officer Vijaya Gadde for their testimonies before Congress about Twitter being used to interfere with elections.