Two Former Twitter Employees And A Saudi National Charged In Plot To Provide Saudi Government With Information About Users

SAN FRANCISCO –Ali Alzabarah, Ahmad Abouammo, and Ahmed Almutairi, a/k/a Ahmed Aljbreen, were charged for their respective roles in fraudulently accessing private information in the accounts of certain Twitter users and providing that information to officials of the Kingdom of Saudi Arabia, announced United States Attorney David L. Anderson and Federal Bureau of Investigation Special Agent in Charge John F. Bennett. All three defendants are charged with acting as illegal agents of a foreign government; and Abouammo also is charged with destroying, altering, or falsifying records in a federal investigation.

“The criminal complaint unsealed today alleges that Saudi agents mined Twitter’s internal systems for personal information about known Saudi critics and thousands of other Twitter users,” said U.S. Attorney Anderson. “U.S. law protects U.S. companies from such an unlawful foreign intrusion. We will not allow U.S. companies or U.S. technology to become tools of foreign repression in violation of U.S. law.”

“The FBI will not stand by and allow foreign governments to illegally exploit private user information from U.S. companies. These individuals are charged with targeting and obtaining private data from dissidents and known critics, under the direction and control of the government of Saudi Arabia,” said FBI Special Agent in Charge John F. Bennett. “Insider threats pose a critical threat to American businesses and our national security.”

Alzabarah, 35, of Saudi Arabia, and Abouammo, 41, of Seattle, Washington, were Twitter employees. According to the complaint, between November of 2014 and May of 2015, Almutairi, 30, of Saudi Arabia, and foreign officials of the Kingdom of Saudi Arabia convinced Abouammo and Alzabarah to use their employee credentials to gain access without authorization to certain nonpublic information about the individuals behind certain Twitter accounts. Specifically, representatives of the Kingdom of Saudi Arabia and the Saudi Royal Family sought the private information of Twitter users, including their email addresses, IP addresses, and dates of birth, of persons some of whom published posts deemed by the Saudi Royal Family to be critical of the regime. This information could have been used to identify and locate the Twitter users who published these posts. The complaint alleges that Alzabarah and Abouammo were compensated for their illicit conduct, including the provision of a luxury watch, cash, and other benefits in exchange for their agreement to violate Twitter policies by accessing and providing the information. Almutairi is alleged to have arranged meetings, acted as a go-between, and facilitated communications between the Saudi government and the other defendants.

The complaint also contains allegations regarding the reaction of Alzabarah upon being confronted by Twitter about his violations of Twitter policy. According to the complaint, when Alzabarah was confronted by Twitter’s management about accessing users’ information, he sought assistance from Almutairi and others to flee the United States. Alzabarah left the country the next day and submitted his resignation from Twitter by email while en route. With respect to Abouammo, the complaint alleges FBI agents confronted him in October 2018 about his activities on behalf of officials of the Kingdom of Saudi Arabia. In response, Abouammo allegedly lied to the agents and provided them with a falsified invoice in an effort to obstruct the investigation.

Abouammo was arrested in Seattle, Washington, on November 5, 2019, and is making his initial federal court appearance in Seattle at 2:00 p.m., this afternoon. Alzabarah and Almutairi are believed to be in Saudi Arabia. Federal warrants have been issued for their arrest.

A complaint merely alleges that crimes have been committed, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt. If convicted, all three defendants face maximum statutory sentence of 10 years in prison and a $250,000 fine for acting as an agent of a foreign government without notification to the Attorney General, in violation of 18 U.S.C. § 951. In addition, Abouammo faces an additional 20 years in prison and a $250,000 fine for obstruction of justice, in violation of 18 U.S.C. § 1519. Further, the court may order restitution, if appropriate, and additional periods of supervised release. However, any sentence following conviction would be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

The case is being prosecuted by the Special Prosecutions and National Security Unit of the United States Attorney’s Office for the Northern District of California and the Counterintelligence and Export Control Section of the National Security Division. The prosecution is the result of an investigation by the Federal Bureau of Investigation.

Twitter: Someone Exploited a Zero-Day to Access User Data

As many as 5.4 million Twitter accounts may have been affected.

I’ve been writing about tech, including everything from privacy and security to consumer electronics and startups, since 2011 for a variety of publications.

Twitter: Someone Exploited a Zero-Day to Access User Data Image

(Leon Neal/Getty Images)

Twitter has confirmed that someone exploited a zero-day vulnerability to access user data.

The company says (Opens in a new window) in a blog post about the incident that the vulnerability in question "allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account."

Twitter says the flaw was introduced in a June 2021 update, disclosed (Opens in a new window) by a security researcher in January, and then patched later that month. "At that time," the company says, "we had no evidence to suggest someone had taken advantage of the vulnerability."

Now that’s changed. BleepingComputer reports (Opens in a new window) that someone exploited this vulnerability to scrape information about 5.4 million Twitter accounts—including the phone number or email address discovered via this flaw as well as publicly available data—before it was patched.

Twitter says it "learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled" in July. The company then reviewed a portion of the data being sold and confirmed that it was legitimate.

"We will be directly notifying the account owners we can confirm were affected by this issue," Twitter says. "We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors."