Updated: Sep 5, 2019
Twitter’s CEO, Jack Dorsey has had his twitter account compromised, revealing significant shortcomings in the social network’s security protocols, highlighted by a third-party gaining access to its network and posting from none other than the CEO’s account.
The hack raises questions about the security of every day Twitter users, considering the CEO wasn’t immune from having his data accessed by a malicious third party. The hacker or hacking collective was able to publish a series of racist tweets, as well as retweet a number of inflammatory pages to Dorsey’s 4.2-million followers; the tweets remained published for around thirty-minutes before Twitter took them down.
Media reports are circulating whispers that a group known as the Chuckle Squad are responsible for the hack and subsequent racist posts, and were specifically mentioned in some of the tweets posted from Dorsey’s account by the hackers.
A report from CNN Business cites cyber security journalist, Brian Krebs, who says that Jack Dorsey was more than likely a victim of a sim card swap planned and facilitated by a third-party looking for someone with inside access to Dorsey.
“Somebody can just get somebody making $12 an hour and offer them a thousand dollars to do a SIM swap,” he said. According to that report from Shannon Liao, “thanks to a feature left over from Twitter’s early days, if a hacker gets control of the phone number associated with your Twitter account, they can text any tweets they want to Twitter’s number, 40404, and they’ll be immediately published to your account. The hacker wouldn’t need any other verification- not even your password,” Liao explains.
Twitter has remained tight-lipped about the breach, other than initially placing blame for the hack on Dorsey’s mobile service provider in a statement. “The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter said in a statement. “This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved,” Twitter stated, declining to answer questions surrounding its internal security practices.
The Guardian’s Julia Carrie Wong explains that “while this does not appear to be the case in this attack, Sim swaps often work by enabling a hacker to change a target’s social media passwords.”
“With control of a target’s phone number, a hacker can intercept text messages needed for two-factor authentication- an additional form of verification beyond a password to access an account, which usually comes via an SMS message or email.”
“Twitter told the US Senate intelligence committee that Dorsey uses two-factor authentication on his personal Twitter and email accounts in written responses provided to the committee in September 2018.”
The hack of Twitter’s CEO, while it is extremely rare, is far from unprecedented. Facebook’s Mark Zuckerberg, Google’s Sundar Pichai and Uber’s former chief executive, Travis Kalanick all had their accounts compromised in 2016 by a hacking group known as the OurMine Security group, which goes to show that even the heads of the technology companies themselves aren’t immune from a cyber breach.