It is very significant that just when Twitter is targeted by an attack enabled by the stealing of credential of some of its employees, U.S. prosecutors have filed a superseding indictment in federal court against two former Twitter employees for allegedly spying on dissidents on behalf of Saudi Arabia.
The Department of Justice had alleged last year that two former Twitter employees, Ahmad Abouammo and Ali Alzabarah, have been recruited by a Saudi national with ties to the royal family. The two employees have abused their access to Twitter to collect sensitive information about Saudi dissidents, including location data, email addresses, and phone numbers. They also allegedly targeted a close associate of American journalist Jamal Khashoggi that was murdered in 2018, according to the CIA, at the behest of Saudi Crown Prince Mohammed bin Salman.
Abouammo has worked as Twitter’s head of social media partnerships for the Middle East and North Africa. He allegedly met with a Saudi official in 2014 and soon after accessed Twitter users’ information. He pleaded not guilty last year and is in U.S. custody. Before Abouammo left Twitter, he allegedly passed on his contacts to Alzabarah, a site reliability engineer. According to the prosecutors, Alzabarah used that information to access data about 6,000 users.
News about the indictment come shortly after Twitter suffered from an insider breach we have described in previous posts.
The two breaches raise questions about Twitter’s ability to control its employees’ access to sensitive information of its own users. In relation with this case, Twitter claims that
“we understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable”
but to assure its users it told it had “tools” in place to protect user privacy.
Hence, the new attack is just a further symptom of an old, unsolved, problem.