Here’s How Bad a Twitter Mega-Breach Would Be

The social network has been in turmoil since it was forced to be acquired by Musk. More than half of its workforce was laid off. The digital infrastructure went off the rails. According to a report, 75 percent of staff refused to sign a pledge to work long hours. It's not clear who still works at the social networking site.

The bird site is on the verge of collapse.

One consequence of the chaos is less attention being given to digital security monitoring and more attention being given tofending off cyberattacks. That could cause the company and its users to be at increased risk of a big data breach.

Peiter Zatko, the company's former chief security officer, testified in Congress this summer about the state of the company's internal defense and access controls. The company may have had security issues before Musk took over.

The good news is that, unlike the credit bureau Equifax or Sony Pictures, which both of which suffered of incredibly sensitive user or internal information in the past eight years,Twitter doesn't hold financial information about most people. The contents of their direct messages and the social graph of who users have communicated and interacted with on the platform, as well as phone numbers, email addresses, and other potentially private details, are still held by the company. The company has collected different user information at different times over the years, which may mean it holds more than you think.

Users can't remove their direct messages on the micro-messaging service. You can remove messages from your own account, but they can't be deleted for users with whom you are communicating. When it comes to deletion of user data even when it's deleted from their accounts, there's not a lot of information about it. If you don't log into your account for 30 days after deactivation, your account will be permanently disabled. It's difficult to understand the true meaning of the policy since there is no word "delete" in it.

WIRED asked for comment about data deletion, but did not get a response. The communications department has been let go.

Security researchers and incident responders emphasize that a data leak or infrastructure break-in wouldn't be focused on impacting users but could reveal sensitive company information. There are a number of ways in which malicious control of the infrastructure could be used to spread misinformation.