@jack’s twitter attacked, phone number hacked
Credit to Author: Naked Security writer| Date: Fri, 30 Aug 2019 22:37:15 +0000
The latest high-profile celebrity Twitter account to get hacked…
…was none other than @jack, which belongs to Jack Dorsey, the founder and CEO of Twitter itself.
Twitter’s corporate communications account has confirmed that the account got taken over, but says that @jack is “now secure, and there is no indication that Twitter’s systems have been compromised.”
@jack The account is now secure, and there is no indication that Twitter's systems have been compromised.
—
Twitter Comms (@TwitterComms) August 30, 2019
Twitter Comms later confirmed that the attack was possible because “the phone number associated with the account was compromised”, suggesting that Dorsey was the victim of a SIM swap attack.
@jack The phone number associated with the account was compromised due to a security oversight by the mobile provid… twitter.com/i/web/status/1…
—
Twitter Comms (@TwitterComms) August 31, 2019
In a successful SIM swap attack, hackers persuade a mobile phone provider to transfer a victim’s phone number to the hacker’s SIM card, giving the hacker access to the victim’s calls and messages. Dorsey is rumoured to use a service that allows him to tweet via SMS messages, and this may be what gave the hackers the ability to tweet in his name.
The alternative is that they first cracked his password and then used their access to his phone number to steal a 2FA code sent to it via SMS.
The good news for Twitter users is that this wasn’t a hack on Twitter’s infrastructure and possibly not even a full takeover of the @jack Twitter account (we don’t know if Dorsey was prevented from using his account, only that others gained some ability to abuse it).
The bad news for Dorsey is that he lost more than his Twitter account: he lost his phone number, giving crooks privileged access to any service that relies on that number, not just Twitter.
We’re not going to reprint any of the tweets or reweets that were sent during the period that a hacking crew going by the nickname Chuckling Squad claimed to have access – if you really must see them, you can find them elsewhere – but they seem to have included a number of racist and anti-semitic taunts, as well as a bomb hoax.
Unsurprisingly, Dorsey is a popular and prolific tweeter himself, with more than 4,000,000 followers and 26,000 tweets, so Twitter’s quick response was commendable – reports suggest that the offensive tweets were removed within 15 minutes of being sighted.
Not everyone in the Twittersphere was complimentary about the response, however, with the very first reply to Twitter’s PR account saying that the company should:
ban him and make him appeal via email, then take a couple days to process it. [W]hy give him special treatment?
@TwitterComms @jack you should ban him and make him appeal via email, then take a couple days to process it. why give him special treatment
—
llama (@LlamaInaTux) August 30, 2019
Anyone who has lost control of any of their own social media accounts – for example due to phishing, a poorly-chosen password or an unlocked phone in the wrong hands – will know that it’s often a stressful exercise to reclaim the account.
To be fair to Twitter, however, establishing that Jack Dorsey was indeed the rightful user of the @jack account would not have been a difficult process, so the company’s super-fast response in this case can hardly be put down to favouritism.
What to do?
To avoid losing control of your Twitter account, read our guide to ecuring your Twitter account.