About the Twitter CEO ‘@jack hack’

Graham Cluley

How Twitter CEO Jack Dorsey's account wasn't hacked

How Twitter CEO Jack Dorsey's account wasn't hacked

As you have probably heard by now, Twitter CEO Jack Dorsey’s account (@jack, 4.2 million followers) started spewing some tweets on Friday night that were out of character even for him.

For about 15 minutes the account tweeted racist and offensive remarks, and even at one point what appeared to be a bomb threat.

It was pretty obvious that these weren’t messages being genuinely tweeted by Twitter’s oddball co-founder, and theories spread like wildfire that his account had been hacked.

I joined in with the speculation late on Friday night, proposing possible explanations such as a lack of two-factor authentication, or a reused password, but leaning more towards a third-party app connected to the Twitter boss’s account having been hijacked.

I couldn’t see the funny side in Jack Dorsey’s misfortune, having myself suffered when a third-party app I had linked to my account started tweeting unauthorised messages a few years ago.

And when close examination of the offending tweets from the Twitter CEO’s account revealed they had been posted through a service called “Cloudhopper” that seemed to suggest something similar had happened.

Jack tweet cloudhopper

So, what is Cloudhopper and had it been compromised?

Cloudhopper is a service that facilitates tweeting via SMS text messages, and was acquired by Twitter back in 2010. If you have configured your Twitter account to allow it, it’s possible to just send a text message to update your Twitter status rather than use a smartphone app, laptop or desktop connection.

That’s fine, I suppose, with a couple of caveats.

Firstly, you need to be careful to only send SMS messages to Twitter that you wish to become public.

It’s surprisingly easy to send a text message that you believe to be private to the wrong number, as then White House press secretary Sean Spicer found out in January 2017 when he tweeted something that appeared to be a password via Cloudhopper.

Sean Spicer tweet cloudhopper 2

Secondly, if Twitter is going to accept SMS messages from your mobile phone number and automatically broadcast them to the world, you had better be feeling darn confident that no-one else is going to gain access to your phone – or seize control of your mobile number.

As Twitter’s communications team explained the following day, it seems that’s precisely how the unauthorised parties managed to post the offensive messages to @jack’s account:

The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.

In short, it sounds like Jack Dorsey’s Twitter problems were caused by his mobile phone number being seized in a SIM swap attack (also sometimes called a Port Out scam), where his mobile phone provider were tricked by fraudsters into giving them control of someone else’s number.

So – if we are to believe Twitter’s explanation – the reason for the “@jack hijack” was not because Twitter’s CEO had failed to follow best practices for passwords, or been phished, or failed to have two-factor authentication in place, or even because he had a compromised app connected to his account – but instead that he no longer was in control of his own phone number.

That’s a problem not only because of unauthorised tweets, but also because of the surprising range of other things you can do via SMS with Twitter.

You can’t really blame the affected Twitter user for this incident – it’s a problem at the mobile phone operator’s end.

Well, maybe you can partly blame the affected Twitter user on this occasion. After all, he’s the boss of Twitter. He can get things changed if he wants to.

Although I’m sure there are some users in some parts of the world who appreciate being able to update Twitter via SMS, I’m not convinced that it is a feature that most Twitter users have a need for. I think it would be a sensible step for Twitter to disable SMS tweeting functionality by default, forcing users to manually enable it if they really want the feature.

It seems to me that another sensible step would be for those who do wish to tweet via SMS to be required to add a PIN to their text message as an additional form of identification. That would certainly be another hurdle for fraudsters and scammers to overcome.

You can listen to more about the hack of Jack Dorsey’s Twitter account, and SIM swap fraud, in this episode of the “Smashing Security” podcast:

Smashing Security #144: 'Google helps the FBI, Twitter Jack’s hijack, and car data woes'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Update: Well, what do you know… Twitter disables tweeting via SMS (temporarily at least), in wake of Jack Dorsey account hijack

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “About the Twitter CEO ‘@jack hack’”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.