Twitter CISO whistleblower, LastPass security incident and PayPal phishing- Newsletter #5
Plus: the silence of risk management victory and free web security resources.
With a small delay, here’s this month’s newsletter, looking at what happened in August. As I got some positive feedback about the new format, I'll keep it this way.
This was a month marked by the Twitter whistleblower that claimed less than appropriate security measures at the company. The complaint was done to the FTC by the former head of security Peiter Zatko, a respected security researcher known as “Mudge”.
Here’s some of his claims, according to the Washington Post:
(…) thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.
and it continues with a:
(…) the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam.
These allegations come very handy for the Elon Musk vs. Twitter case as they support Musk’s claims of excessive bots and spammers on the platform. To be followed.
What I read last month
What’s going on with security at PayPal (christianvarga.com)
Notice of Recent Security Incident (LastPass)
Study Finds Apple Collects the Least Amount of User Data Among Top Five Tech Giants (Mac Observer)
Your online identity is owned by your email provider (Ctrl.blog)
PayPal Phishing Scam Uses Invoices Sent Via PayPal (Krebs on Security)
Freedom and Privacy (Dergigi)
On Substack
This is an excellent article about Risk Management. Strongly recommended:
On Twitter
A great technical article about storing passwords in databases. In a time where more and more developers use external services to take care of user authentication (Auth0, Okta, etc.), a bit of knowledge about how it’s done doesn’t hurt.
This is something that grinds my gears. I would totally fail this test.




Very interesting one.

There’s a ton of useful Cybersecurity resources online and from reputable resources. This is a great example of a course taught by Standford University called “Principles of web security.”




Totally agree with Troy on this. We all know a lot of companies are being hacked, that doesn’t justify poor security measures.
This is exactly right 😂😂