Twitter Says Parts of Its Source Code Were Leaked Online

Parts of Twitter’s source code, the underlying computer code on which the social network runs, were leaked online, according to a legal filing, a rare and major exposure of intellectual property as the company struggles to reduce technical issues and reverse its business fortunes under Elon Musk.

Twitter moved on Friday to have the leaked code taken down by sending a copyright infringement notice to GitHub, an online collaboration platform for software developers where the code was posted, according to the filing. GitHub complied and took down the code that day. It was unclear how long the leaked code had been online, but it appeared to have been public for at least several months.

Twitter also asked the U.S. District Court for the Northern District of California to order GitHub to identify the person who shared the code and any other individuals who downloaded it, according to the filing.

Twitter launched an investigation into the leak and executives handling the matter have surmised that whoever was responsible left the San Francisco-based company last year, two people briefed on the internal investigation said. Since Mr. Musk bought Twitter in October for $44 billion, about 75 percent of the company’s 7,500 employees have been laid off or resigned.

The executives were only recently made aware of the source code leak, the people briefed on the internal investigation said. One concern is that the code includes security vulnerabilities that could give hackers or other motivated parties the means to extract user data or take down the site, they said.

The exposed source code adds to the challenges facing Mr. Musk’s Twitter. Technology companies often view such code as a closely held secret and do not share it for fear that it could give competitors an unfair advantage or reveal security vulnerabilities.

But even as tech companies strive to protect their code bases, they have become ripe targets for opportunists, hackers and others. Last year, a hacking group successfully stole source code from Microsoft and other major companies. And in 2020, Anthony Levandowski, a star engineer of self-driving cars, was sentenced to 18 months in prison for stealing code from Google as he prepared to start a new job. (Mr. Levandowski was later pardoned by then-President Donald J. Trump.)

The public posting of Twitter’s code is “concerning,” said Brett Callow, a threat analyst at Emsisoft, a cybersecurity software company. “It does make it a little bit easier and speedier to probe for vulnerabilities.”

For Twitter, the leak also comes on top of mounting structural and financial challenges. Mr. Musk has been trying to turn around the social network over the past few months by slashing costs, trying out new features and welcoming back previously banned users. But outages of the service have increased, while advertisers — the main source of revenue for the company — have been skittish about running ads on the site.

The turmoil has caused financial damage. On Friday, Mr. Musk told employees in an email that Twitter was worth roughly $20 billion, down more than 50 percent from the what he paid for it. He said “radical changes” at the company, including mass layoffs and cost cutting, were necessary to avoid bankruptcy and streamline operations.

“Twitter is being reshaped rapidly,” Mr. Musk wrote in the email seen by The New York Times. He added that the company could be thought of as “an inverse start-up” and that he believed Twitter could someday be worth $250 billion.

Mr. Musk did not respond to a request for comment about Twitter’s leaked code. GitHub declined to comment on the decision to remove the code, but posted Twitter’s takedown request on its website.

The leak comes as Mr. Musk has promised to make some of Twitter’s code public. This month, the billionaire said that he would make the code that Twitter uses to recommend tweets publicly available by the end of March, so that it could be reviewed by anyone and scrutinized for possible flaws. The process could help Twitter’s code become more secure, as people identified and reported problems with it.

At the same time, Mr. Musk has worried about the possibility of leaks and theft by disgruntled former employees during his mass layoffs. In November, he locked Twitter’s offices and asked employees not to come in while cuts were being made. Over the last few months, Twitter has also prevented engineers from making changes to the site’s code ahead of layoffs for fear that someone would sabotage the platform on the way out the door.

“One of the best ways to mitigate insider risk is to keep your employees happy and that certainly hasn’t been the case at Twitter,” Mr. Callow said.

The person who leaked Twitter’s source code appeared to go by the name “FreeSpeechEnthusiast” on GitHub, according to Twitter’s legal filing. The user’s pseudonym appears to reference Mr. Musk, who has referred to himself as a “free speech absolutist.”

The GitHub profile for the anonymous user shows a single contribution to the platform in early January. The profile remains online.

Jack Begg contributed research.