THE SECRET SAUCE, NO LONGER SECRET

The New York Times reported on March 26th that Twitter had sent a copyright infringement notice to GitHub. The company asked the developer forum to remove a repository containing what it said was leaked source code. GitHub removed the code the same day, and while it was not immediately known when the leak first occurred, the Times reported the code had been exposed for a number of months.

The optics are troubling. Any leak of source code is worrisome for any company. For a software or platform company, however, it’s infinitely worse. Source code is essentially the master key to an organization, particularly one, like Twitter, whose entire value proposition revolves around the code it creates and deploys – and if it gets out, then there’s no telling what malevolent actors could do with it.

There’s no way to sugar-coat this, a loss of this type is potentially business-killing for any company. Source code is the modern-day equivalent to closely guarded secrets like KFC’s 11 herbs and spices or the Coca Cola formula.

In a competitor’s hands, for example, it could be used to reverse engineer existing features. In a cybercriminal’s hands, it could be used to compromise the underlying security of the platform. Whatever the use case, a source code leak or breach is about as bad as it gets.

BUT WAIT, IT GETS WORSE

This would be troubling enough for any organization, but especially so at Twitter. 

That “but” is one of context – since Elon Musk took over, it’s been one slipup and debacle after another, all of them tied back to the new owner’s famously thin-skinned and impulsive management style. Beyond sheer optics, the company’s finances are collapsing, and Twitter is now reportedly worth less than half of the $44 billion that Musk paid for it.

Worse, the skilled developers and leaders who would be expected to respond to this leak no longer work for the company. Twitter must now neutralize the compromised code and toughen the security of the remaining environment to minimize the potential damage – but its remaining staff lack the specific expertise to do so.  

Instead, the company is essentially being run by a skeleton staff of those who have survived four major rounds of layoffs, and borrowed resources from Musk’s other companies, like Tesla, SpaceX, The Boring Company, and Neuralink. These inter-company transfers may be experts in their respective domains, but they lack the institutional knowledge that’s walked out the door since Musk’s arrival.

TALENT (MIS)MANAGEMENT

As part of Twitter’s legal motion to have GitHub remove the repository, it has asked the collaboration platform to identify the individual who posted the source code, as well as anyone else who might have downloaded it afterward.

Twitter has also launched an investigation, with reports suggesting executives believe the leak was the responsibility of a disgruntled former employee who left the company toward the end of 2022.

THE RIPPLE EFFECT

This latest crisis has massive implications for the millions of end-users who continue to use the service daily, as it suggests continued erosion in the company’s ability to protect its core assets from internal and external threats. If Twitter is unable to secure its own source code – or even identify the breach months after it was first leaked – then that should light off alarms to all users that they can no longer trust that their own accounts remain secure.

Twitter is already sagging under the weight of skyrocketing rates of abuse, racism, and misinformation – plus advertisers continue to shun the platform amid concerns around protecting their brand from appearing alongside questionable content. The Twitter Blue subscription service, which was supposed to help open up a new revenue stream beyond advertising, has raised barely $11 million in the 3 months since it went live. Losing its source code won’t help and adds to the freight train crash for a platform that was once considered the conscience of the internet.

THE BOTTOM LINE

Twitter’s latest headline-making mess should serve as a wakeup call to companies concerned with their own security. Every organization relies heavily on a range of software to power its business. And while every environment is unique, we are all potentially at risk if clients or vendors within our own respective organizational footprint suffer a similar breach.

This leak should also prompt organizations – like yours – to start asking questions of your own. Are you doing due diligence on your vendors and providers to uncover similar vulnerabilities? Do you trust these organizations to keep their own software resources, as well as those they build and maintain for clients like you, secure? Are you protected if they aren’t? Are you working with organizations that treat their employees well? Or not?

At STEP Software, we deal with these questions and answers every day, and are always around if you’re looking for answers in your own shop. Because the Twitter source code leak now serves as a reminder of just how costly it can be to never ask these questions in the first place.