Twitter CEO Jack Dorsey’s account on the site was hacked Friday, and he may have fallen victim to a vulnerability that Twitter has previously been warned about and repeatedly denied was a problem.
For about 20 minutes on Friday afternoon, Dorsey’s account tweeted a series of racist and otherwise offensive tweets. Twitter quickly acknowledged that someone had hacked the account, and said it was now secure.
The tweets appear to have been sent not by hacking Dorsey’s actual account, but by the hacker or hackers convincing Twitter’s systems that they had his phone and were texting the tweets to his account. It’s likely the hacker or hackers wouldn’t even have needed Dorsey’s password, or ever been prompted for it.
The tweets were labeled as posted by Cloudhopper, an SMS company Twitter purchased in 2010, back when some users regularly used text messages to send tweets. Today, if a text is sent to 40404 from a US phone number associated with a Twitter account, that account will post the text, and it will be labeled as coming from Cloudhopper.
CNN confirmed this would work using a newly registered account, which Twitter automatically opted in to texting by tweet. Then, with a phone that has never been used to log into Twitter, and without ever being asked for any password, a CNN reporter was able to send a tweet by text.
Hackers could potentially use this method to send tweets from other accounts belonging to prominent figures -— including American elected officials who are frequent Twitter users, like President Trump — so long as the targets haven’t opted out of tweeting by text. The White House and the Secret Service did not immediately respond to requests for comment as to whether Trump’s account has tweeting by text enabled.
This method of tweeting may have once seemed like a useful and harmless feature. But a phone number is considered far less of a secure identifier today than it was in 2010. The past few years have seen the rise of “sim jacking,” in which a hacker will convince a phone carrier that they’ve lost their SIM card and request that number be transferred to a new card.
In a follow-up tweet Friday night, Twitter implied this was what happened, writing, “The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.”
Phone numbers can also be imitated without “sim jacking.” Security researchers have previously been able to spoof a phone number associated with an account and convince Twitter to let them post tweets that way. Twitter said at the time it was a bug that had been resolved.
In 2012, Twitter published a blog post responding to reports that it might be possible for hackers to spoof a phone number and send tweets by text in this way. In that post, it specifically denied that US users could be vulnerable to such a hack.
Twitter declined to comment beyond its tweets about Dorsey.