Twitter source code was leaked on GitHub shortly after Musk’s layoff spree
Portions of Twitter’s source code recently appeared on GitHub, and Twitter is trying to force GitHub to identify the user or users who posted the code.
GitHub disabled the repository on Friday shortly after Twitter filed a DMCA (Digital Millennium Copyright Act) takedown notice but apparently hasn’t provided the information Twitter is seeking. Twitter’s DMCA takedown notice asked GitHub to provide the code submitter’s “upload/download/access history,” contact information, IP addresses, and any session information or “associated logs related to this repo or any forks.”
The GitHub user who posted the Twitter source code has the username “FreeSpeechEnthusiast,” possibly a reference to Twitter owner Elon Musk casting himself as a protector of free speech.
“It was unclear how long the leaked code had been online, but it appeared to have been public for at least several months,” a New York Times article said. Despite that, the NYT article said Twitter “executives were only recently made aware of the source code leak.”
GitHub user FreeSpeechEnthusiast’s profile indicates the user joined GitHub on January 3, 2023, and made its only code submission on the same day. Twitter’s DMCA notice to GitHub described the code as “proprietary source code for Twitter’s platform and internal tools.”
Suspect list could include thousands of ex-employees
The leaker may have been one of the roughly 5,500 employees who left Twitter via layoff, firing, or resignation after Musk bought the company. Twitter also reportedly laid off about 5,000 contractors shortly after the Musk acquisition. There were presumably many employees who did not have access to the specific source code that was leaked, however.
“Twitter began an investigation into the leak and executives handling the matter have surmised that whoever was responsible left the San Francisco-based company last year, two people briefed on the internal investigation said,” the NYT wrote.
Musk said on March 17 that Twitter will make “all code used to recommend tweets” open source by March 31, but the leaked code may be much more sensitive. The NYT said its sources indicate that Twitter executives are concerned “that the code includes security vulnerabilities that could give hackers or other motivated parties the means to extract user data or take down the site.”
Twitter sent the takedown notice on Friday and asked a federal court to issue a subpoena later the same day. “The DMCA Subpoena is directed to service provider GitHub,” Twitter’s request for a subpoena said. “GitHub operates a website to which the infringing party or parties (identified by their GitHub username as FreeSpeechEnthusiast) posted various excerpts of Twitter source code, which posting infringes copyrights held by Twitter in those materials.”
Twitter seeks “all identifying information”
Twitter’s proposed subpoena seeks “all identifying information, including the name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es), for the user(s) associated with the following GitHub username: FreeSpeechEnthusiast.” It also asks for “all identifying information provided when this account was established, as well as all identifying information provided subsequently for billing or administrative purposes.”
The subpoena request further seeks all identifying information for any “users who posted, uploaded, downloaded or modified the data” at the repository where the Twitter source code was posted.
When contacted by Ars, GitHub did not comment on Twitter’s request for the user’s identifying information or the attempt to obtain a subpoena. “GitHub does not generally comment on decisions to remove content. However, in the interest of transparency, we share every DMCA takedown request publicly,” a GitHub spokesperson said. The Twitter DMCA takedown notice was posted by GitHub here.
GitHub is owned by Microsoft. Another Twitter court filing contains the email thread between Twitter and GitHub that led to the takedown on Friday. It appears that GitHub disabled the repository less than an hour and a half after Twitter filed the takedown notice.