The latest high-profile celebrity Twitter account to get hacked…
…was none other than @jack, which belongs to Jack Dorsey, the founder and CEO of Twitter itself.
Twitter’s corporate communications account has confirmed that the account got taken over, but says that @jack is “now secure, and there is no indication that Twitter’s systems have been compromised.”
https://twitter.com/TwitterComms/status/1167548246618587137Twitter Comms later confirmed that the attack was possible because “the phone number associated with the account was compromised”, suggesting that Dorsey may have been the victim of a SIM swap attack.
https://twitter.com/TwitterComms/status/1167591003143847936In a successful SIM swap attack, hackers persuade a mobile phone provider to transfer a victim’s phone number to the hacker’s SIM card, giving the hacker access to the victim’s calls and messages.
Dorsey is rumoured to use a service that allows him to tweet via SMS messages, and this may be what gave the hackers the ability to tweet in his name.
An alternative is that they first cracked his password and then used their access to his phone number to steal a 2FA code sent to it via SMS.
The good news for Twitter users is that this wasn’t a hack on Twitter’s infrastructure and possibly not even a full takeover of the @jack Twitter account (we don’t know if Dorsey was prevented from using his account, only that others gained some ability to abuse it).
We’re not going to reprint any of the tweets or reweets that were sent during the period that a hacking crew going by the nickname Chuckling Squad claimed to have access – if you really must see them, you can find them elsewhere – but they seem to have included a number of racist and anti-semitic taunts, as well as a bomb hoax.
Unsurprisingly, Dorsey is a popular and prolific tweeter himself, with more than 4,000,000 followers and 26,000 tweets, so Twitter’s quick response was commendable – reports suggest that the offensive tweets were removed within 15 minutes of being sighted.
Not everyone in the Twittersphere was complimentary about the response, however, with the very first reply to Twitter’s PR account saying that the company should:
https://twitter.com/LlamaInaTux/status/1167533068900429825ban him and make him appeal via email, then take a couple days to process it. [W]hy give him special treatment?
Anyone who has lost control of any of their own social media accounts – for example due to phishing, a poorly-chosen password or an unlocked phone in the wrong hands – will know that it’s often a stressful exercise to reclaim the account.
To be fair to Twitter, however, establishing that Jack Dorsey was indeed the rightful user of the @jack account would not have been a difficult process, so the company’s super-fast response in this case can hardly be put down to favouritism.
What to do?
To avoid losing control of your Twitter account, read our guide to securing your Twitter account.
Tom
Why would they think that SMS 2FA is secure? This is just a twitter account, but banks rely on SMS 2FA. I personally like the phone and app method better.
Paul Ducklin
You can still set (most) accounts up so that a SIM swap alone is not enough – technically if you have 2FA then the crooks have to do a SIN swap *and* get your password (or else it’s really 1FA you have). It’s not clear whether then is what happened to @jack. So the 2FA part of the story might be a red herring…
…or the SIM swap part might be a red herring.