Twitter CEO's hacked account sends racist tweets before being secured

Share

The bad news for Dorsey is that he lost more than his Twitter account: he lost his phone number, giving crooks privileged access to any service that relies on that number, not just Twitter. That exact thing happened to Twitter CEO Jack Dorsey this week.

For about 20 minutes on Friday afternoon, Dorsey's account tweeted a series of racist and otherwise offensive tweets.

"This allowed an unauthorised person to compose and send tweets via text message from the phone number". However, several racist reports and bomb threats have been visible for some time on Dorsey's profile.

While nowadays the overwhelming majority of users use mobile apps to tweet, Twitter's early days were built around texting in updates - hence the character limit - and Twitter has kept this method, in part because of its use in developing countries with high data costs.

In a statement about the breach, Twitter said: "The phone number associated with the account was compromised due to a security oversight by the mobile provider".

Twitter did not specify which mobile phone carrier was involved, but stressed that the issue has been resolved, "and there is no indication that Twitter's systems have been compromised". Twitter acquired Cloudhopper in 2010.

More news: Iranian Tanker Headed To Lebanon, Not Turkey Minister Says
More news: Chandrayaan-2 gets closer to the moon
More news: One killed, nine hurt in French knife attack

Response from Twitter The team of Twitter declined to comment on the whereabouts of any other access of hackers to Dorsey's personal information like his direct messages or access to other social media channels.

The Friday incident reminded us about the incident of November 2017 in which Trump's account went offline for 11 minutes and the contractor of Twitter was the one who did that. In general terms, this kind of attack is called SIM hacking - essentially convincing a carrier to assigning Dorsey's number to a new phone that they controlled.

The alternative is that they first cracked his password and then used their access to his phone number to steal a 2FA code sent to it via SMS. If the account of Twitter's CEO was compromised then how can others account be secured?

"If you can't protect Jack, you can't protect. jack", one Twitter user quipped. Ironically, the top reason Twitter says you should do this is "Keeping your account secure". The primary tool for this is two-factor authentication, which Twitter calls "login verification".

It's a horrendous and inexcusable security flaw, and there's not much Twitter users can do about it.

What attackers do is tap into their victim's phone communications - by fooling the telecommunications company's representatives, or even having a rogue operator on the inside - i.e. via a good old spot of successful social engineering. It also suspended the account that appeared to be responsible for the hack.

Share