Elon Musk’s grand experiment with Twitter verification kicked into high gear Wednesday, with blue check marks suddenly appearing alongside any account willing to fork over $8 for Twitter Blue. Within hours, the obvious unfolded: Trolls and hoax-spreading tricksters began wreaking havoc on the platform by impersonating major brand accounts, achieving the opposite of Musk’s intended effect of tackling bots and scammers through erecting a paywall without ID verification.

Among the very first types of brand accounts to fall victim to Twitter impersonators were gaming companies. An account named @nlntendoofus went viral in short order by posting an edited image of Mario flashing his middle finger with a display name reading “Nintendo of America,” identical to the real deal. Another account, @valvesotfware, falsely claimed a virtual announcement related to Steam owner Valve’s upcoming game Ricochet: Neon Prime. (Neon Prime is the mysterious name of a trademark Valve registered last month, while Ricochet is a dormant “Tron”-like shooter game Valve released more than two decades ago.)

Twitter suspended both accounts after a few hours, and the company said it is “aggressively going after impersonation and deception” on the platform in the wake of its botched rollout of “Official” labels intended to differentiate Blue subscriber accounts from those of legitimate brands.

Yet the two incidents manage to perfectly encapsulate some of the obvious pitfalls of Twitter’s dicier and more muddled approach to verification, while also underlining why gaming companies in particular are such easy targets. The smear against beloved brand ambassador Mario — the princess-saving plumber would never give anyone the bird, one hopes — shows an immediate point of vulnerability in letting just anyone slap a blue check mark on their profile. If they’re willing to do this to Mario, who’s next?

The Valve instance is more insidious in that it highlights how a simple source of disinformation can spread far and wide if it comes from a believable-looking source and the contents of the message walk the fine line between legitimate and suspect. It appears the stunt was also a form of protest: The account, prior to getting suspended, scolded Musk by telling him to “do better” and writing, “Misinformation is so easy to spread and the damage it can cause can have a real impact on people, much more of an impact than a fake game announcement.”

The princess-saving plumber would never give anyone the bird, one hopes.

It’s no wonder then that the game industry, known for its culture of intense secrecy and its direct messaging and marketing with fans on social media, was the go-to for showcasing the flaws in Twitter’s new system. Nintendo and Valve were immediate targets, right up there alongside a viral LeBron James trade rumor hoax and a fake Donald Trump account that made the rounds Wednesday. (For a more complete list of the optics nightmare Twitter Blue is presenting for public figures and brands alike, see this informative thread.)

Nintendo almost exclusively communicates news and product announcements to English-speaking fans through Twitter. Many other Japanese and Western game companies, like Sony and Cyberpunk 2077 developer CD Projekt Red, do the same. Twitter is also the social platform of choice for the game industry at large. Developers congregate on the platform to swap expertise, network, and communicate their opinions on industry developments. Twitter is where gaming brands interact directly with fans and where notable corporate accounts, like the one belonging to the Sonic the Hedgehog franchise, have been transformed over the years into tongue-in-cheek social media personas.

Outside of forums like Reddit, ResetEra, and NeoGAF, Twitter is where gaming fans go to argue, be seen, and interact with the industry’s biggest names. Many industry watchers are also rabid consumers of gaming news, whether it be the thinnest rumors about a product announcement or an explosive story of corporate misconduct at a major game publisher. These readers are often not interested in submitting every single tweet that comes across their timelines to vigorous fact-checking.

In fact, it would have required at least two taps or clicks on Twitter to see whether @nlntendoofus or @valvesotfware were legitimate: one to go to the profile and the other to click on the verified symbol to see whether it read “This account is verified because it’s notable” or “This account is verified because the user paid for Twitter Blue.” (You could also have made an educated guess based on the account’s number of followers, but again, that’s demanding Twitter users to rely on a type of judgment they’re simply not used to exercising.)

The distinction there, nested inside of all profiles now carrying the verified symbol, is utterly ill-equipped to be effective considering the speed at which information spreads on the platform. The question for gaming companies now is how best to grapple with a social media website that has removed all guardrails to impersonation outside after-the-fact suspension. Will companies reduce their presence on the site, or will they turn to other means of communication like Instagram, TikTok, or YouTube?

Social media strategist Myles Worthington, a former Twitter guru at Netflix who went on to form his own brand advisory firm, told Protocol’s Janko Roetters that he’s advising clients to pause larger ad spends on the platform. “I’m telling brands to monitor the daily (sometimes hourly) shifts and … plan accordingly,” he said.

Twitter has already spooked advertisers and is now contending with an exodus of top-level talent from across its policy, moderation, and security teams — even as Elon Musk assures his own employees the company will in the near term “be significantly reliant on advertising” to survive. The more existential question for brands, and especially gaming companies that have come to rely on Twitter as a direct line of communication to fans, is at what point Twitter stops being worth it and starts becoming a serious liability.

If what happened with Nintendo and Valve is any indication, we may soon find the breaking point.

The unraveling of Twitter may have just accelerated with the departure of top executives responsible for the company's security and privacy functions.

This sort of exodus would be a bad sign for any company, of course. But Elon Musk's Twitter is also subject to a Federal Trade Commission consent decree, most recently updated in May, after past privacy and security practices came under fire. On Thursday, the agency was quick to express its concern with the latest developments, including in comments to The Washington Post.

There's a lot going on here, so Protocol has rounded up what you need to know about the departures of top security and privacy leaders at Twitter.

Who left?

Chief Information Security Officer Lea Kissner confirmed their departure in a tweet, and Protocol reported that Kissner, as well as Twitter's chief privacy officer and chief compliance officer, resigned on Wednesday night. The Washington Post reported that "several other members" of the security and privacy teams have exited as well.

What prompted their departure?

The two-word answer would seem to be “Elon Musk.” Former Twitter privacy staff members told The Washington Post that Musk's push for the rapid product updates meant that feature changes would, by extension, need to be done without a full privacy and security review.

Such a review is obviously crucial for protecting users, under any circumstances. But the FTC consent decree from May makes these reviews even more obligatory. Therefore, rolling out new features without reviewing the security and privacy implications would seem to directly clash with the FTC order.

And while Musk has proven again and again that he doesn’t care much about the desires of regulators, Twitter’s security and privacy teams certainly did. "Dollars to donuts, that small team mandated by the FTC order = all the people who just quit," tweeted Riana Pfefferkorn, a former outside counsel for Twitter.

Given the turmoil caused by less than two weeks of Musk’s ownership, it would appear to have not only become impossible to do that job from a practical standpoint, but also potentially legally tenuous. That’s particularly the case after the recent conviction of Uber's former chief security officer, Joe Sullivan, on federal charges that included obstruction of FTC proceedings.

"Why would anyone take the fall for [Musk]?! This isn't the mob. Some execs would def face personal liability for illegal acts," Pfefferkorn tweeted. "After Joe Sullivan, I bet folks won’t feel like finding out."

Who will take over for them?

There was no immediate word as to a successor to Kissner or the other executives who departed. And for all of the reasons just mentioned, these might be tough jobs to fill.

"You would have to be insane to take the Twitter CISO job now," tweeted Alex Stamos, Facebook's former chief security officer and now director of Stanford's Internet Observatory.

What does this mean for Twitter security and privacy?

Nothing good. "There is a serious risk of a breach with drastically reduced staff," Stamos tweeted.

Meanwhile, the expansion of the Twitter Blue service to include the ability to pay for verification has already seen significant abuse from fraudulent actors, even prior to the departure of key security and privacy team members. And for a site where account takeovers and fraud are everyday issues in normal times, additional chaos in that sphere is all but inevitable.

What is the FTC saying?

The FTC is "tracking the developments at Twitter with deep concern," according to comments provided to The Washington Post.

As Politico reported previously, the FTC was already on “high alert” for violations of the May agreement, particularly in the wake of the whistleblower complaint in August from Twitter’s former security chief, Peiter “Mudge” Zatko.

On Thursday, the FTC's public affairs director, Douglas Farrar, reportedly told The Post: "No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”

This story was updated to correct the length of time that Elon Musk has owned Twitter.

Salesforce recently updated its internal policies to make it easier for managers to terminate employees for performance issues without HR involvement, Protocol has learned, a move that comes as the software giant looks to shed as many as 2,500 jobs.

Previously, Salesforce’s employee relations team was heavily involved behind the scenes in the process of putting employees on performance improvement plans or terminating them for failing to hit certain metrics, including prior to any formal discussions with workers.

Now, managers will be able to put employees on performance improvement plans, or PIPs, and ultimately terminate them with little HR oversight, according to sources with knowledge of the deliberations. Managers were recently asked to sign a document indicating that, under this new system, they would treat employees fairly, one source added.

A Salesforce spokesperson and Chief People Officer Brent Hyder did not respond to request for comment.

Salesforce’s HR team was scrambling last week to update the company’s policies ahead of Monday’s layoffs, according to sources and internal documents reviewed by Protocol. As part of the so-called “Performance Improvement Framework” revisions, internal resources including “Termination Talking Points” and the “Global PIP Template” were changed to reflect the greater authority given to managers and provide additional resources to help leaders act with a degree of autonomy.

By empowering managers, Salesforce can more easily shed its ranks as it looks to trim potentially thousands of jobs. Such a system is not unheard of in the industry, but it could open Salesforce up to legal challenges if, for example, someone in a protected class believes they are wrongly terminated.

Salesforce is taking cost-cutting measures seriously. Salespeople who were laid off on Monday were given two months' severance, according to both a current and former employee, a much less lucrative package than the company previously provided. It’s also noticeably less generous than others. Meta, for example, offered 16 weeks of pay to the 11,000 employees it laid off this week.

And while Meta based a portion of the severance on tenure, Salesforce employees who had been at the company for over a decade received the same package as those who had been there for much less time, the sources said.

The Consumer Financial Protection Bureau said fraud and scam reports comprise the top complaint it receives about virtual currencies — and that customers are finding little help from companies when it happens.

In an analysis published Thursday, coming as FTX's potential collapse has roiled the entire industry, the CFPB detailed how reports of fraud make up about 40% of the more than 8,300 cryptocurrency-related complaints it received between October 2018 and September 2022.

“Our analysis of consumer complaints suggests that bad actors are leveraging crypto-assets to perpetrate fraud on the public,” CFPB director Rohit Chopra said in a statement. “Americans are also reporting transaction problems, frozen accounts, and lost savings when it comes to crypto-assets. People should be wary of anyone seeking upfront payment in crypto-assets, since this may be a scam."

The analysis found "that complaints related to crypto-assets may increase when the price of bitcoin and other crypto-
assets increase," as noted in the report. With prices falling rapidly this year, fraud and scam reports have captured a greater share of overall complaints.

"This issue appears to be getting worse, as fraud and scams make up more than half of virtual currency' complaints received thus far in 2022," the report said. "Some consumers stated that they have lost hundreds of thousands of dollars due to unauthorized account access. The prevalence of fraud and scam complaints raises the question of whether crypto-asset platforms are effectively identifying and stopping fraudulent transactions."

A common scam, the report found, is called "pig butchering." As described in the report, "fraudsters spend time gaining the victim’s confidence, trust, and romantic affection in order to get victims to set up crypto-asset accounts, only for the scammers to ultimately steal all their crypto-assets."

The FBI has also warned consumers about pig-butchering scams.

Consumers also reported "SIM-swap" attacks among methods hackers are using to exploit two-factor authentication and gain access to accounts. "Companies often responded to these complaints by stating that consumers are responsible for the security of their accounts," the report said.

Fraud and scam reports represented about 63% of the crypto-related complaints received by the CFPB in September, the most recent month analyzed by the agency. The second most common complaint, "other transaction problems," marked 15% of complaints.

The report comes near the end of a tumultuous week, even by the standards of the rollercoaster crypto industry. FTX's unraveling and Binance's decision to back away from a deal to acquire it has had ripple effects across the sector. The largest cryptocurrency, bitcoin, has fallen 16% over the past five days.

While the SEC and CFTC have been seeking to exercise oversight of crypto exchanges, the CFPB supervises electronic fund transfers and has broad powers to take action against financial practices it views as unfair, deceptive, or abusive. When the agency receives a complaint, it is typically sent to the company for a response and can be forwarded to other regulatory agencies for further investigation.

The full CFPB crypto analysis is available on its website.

Correction: An earlier version of this story misstated the second most common complaint to the CFPB. This story was updated on Nov. 10, 2022.

Elon Musk sent his first email to Twitter staff late Wednesday, warning of a difficult economic road ahead and telling employees they need to be in office for a minimum of 40 hours per week. "Sorry that this is my first email to the whole company, but there is no way to sugarcoat the message," he began, ominously.

Musk continued by emphasizing that relying on advertising revenue makes Twitter vulnerable, which is why he's pushing the new Twitter Blue Verified subscription so hard. The subscription costs $8 a month and is already causing problems with impersonation. "Without significant subscription revenue, there is a good chance Twitter will not survive the economic transition," the email, seen by Protocol, reads. Musk doesn't completely throw advertising under the bus, however, linking to a recording of his Twitter Spaces on the topic.

Remote work is no longer allowed at Twitter starting Thursday. By the time the email was sent, it was already midday for Twitter employees in Japan and 30 minutes before work hours for employees in Dublin. Musk said he will personally review requests for employees wishing to continue remote work. He hedged the Thursday start date slightly, writing: "Obviously if you are physically unable to travel to an office or have a critical personal obligation, then your absence is understandable."

Twitter was one of the tech companies leading the charge with "remote work forever" when the pandemic started, and the change is predictably prompting pushback from employees. After Musk's email went out, a senior legal counsel at Twitter told employees in the company’s New York City office Slack channel they believed no one has an obligation to return to office — especially not on short notice — as the mandate represents a fundamental change to their employment contracts, according to screenshots reviewed by Protocol.The counsel also encouraged Tweeps to use Twitter's unlimited PTO policy to take the day off.

The counsel also noted that Twitter's CISO, chief privacy officer, and chief compliance officer also all resigned from the company late Wednesday. Former CISO Lea Kissner confirmed their departure from the company in a Thursday tweet.

Many tech workers have grown accustomed to remote work. The change in policy may push more Tweeps to leave — but this may be Musk's intention. After a week of owning Twitter, Musk laid off half the company via an unsigned email. He later tried to get some of those employees back.