Twitter CEO's Account Was Hacked With His Phone Number, And Why It Can Happen To You Too
Last week, Twitter CEO Jack Dorsey had an unpleasant surprise. At some point in the day, a group of hackers gained access to his account, and tweeted a stream of racist messages to his 4.2 million followers. Apparently, it wasnĄ¯t too hard either.
This past Friday, Twitter CEO Jack Dorsey had an unpleasant surprise. At some point in the day, a group of mischief makers gained access to his account, and tweeted a stream of racist messages to his 4.2 million followers. Apparently, it wasn't too hard to do either.
Images courtesy: Reuters
Aside from racist messages, the group also tweeted out plugs for their Discord channel, probably as a way to drum up sales for their hacks or the like. Dorsey's team was able to regain control of his account in just 15 minutes, but the fact that Twitter's CEO was hacked is just bad for business.
Worse is that the method they use was fairly basic.
The hackers broke into Dorsey's Twitter using the platform's text-to-tweet service., which is operated by Cloudhopper, a service Twitter acquired. The service itself is a holdover from Twitter's old 140 character limit days. It allows Twitter users to post a tweet by sending a text message to a shortcode number, usually 40404. It's great for when you really need to tweet but don't have Internet. And all it requires is linking your phone number, which you might've already done anyway for security.
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.
This means it's possible to tweet from a person's account just by gaining access to their phone number. And as it turns out that's not hard to do for Dorsey's number. According to a statement from the company, a "security oversight" on the part of the CEO's phone service provider let the hackers gain control by convincing them to assign his number to a new SIM card. Basically, Twitter didn't mess up, Dorsey's phone company did. However, Twitter also was at fault because it allowed the hackers to game the system so easily.
This sort of attack has in the past been used to do things like steal Bitcoin, or gain access to high-profile Instagram accounts. SIM hacking, as it's called, is easy to protect against too. There are ways to PIN-protect your carrier account, or register your Twitter through a dummy phone number. However, that's a bit over the head of most regular users, and as such the favoured target of many hackers. And as shown by the Dorsey incident, it works too.
Chuckling Squad, the guys that took over Dorsey's account, have been using SIM hacking for years, mostly against influencers and celebrities. Dorsey is just the latest in a long string of attacks. And yet, because of his position in the company, it's an embarrassment to Twitter as a whole, especially since this is an old, established hacking technique
Ideally Twitter would learn from this incident and start beefing up security, especially older systems like text-to-tweet. Given their past record though, you probably shouldn't hold your breath.