Donald Trump's Twitter password was easily guessed, and he still isn't using multi-factor authentication, claims a Dutch hacker who on Thursday bragged he broke into the President's account last week. Twitter says it has "no evidence" this claim is true.
Victor Gevers told Vrij Nederland he tried the password
maga2020! and found it worked, without any extra authentication required, and also said he may have used the account access to tweet a link to a satirical website as the President. Gevers also provided a screenshot purportedly of him on a profile editing page of Trump's account to prove he gained control of arguably the world’s most important Twitter account.
Twitter was having none of it, though: the password guessing nor the link posting. "We've seen no evidence to corroborate this claim, including from the article published in the Netherlands," a spokesperson told The Register. "We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government."
The social media biz pointed to the mechanisms it had put in place to protect high-value accounts like Trump's, such as the requirement of a strong 10-character-minimum password and the detection and thwarting of suspicious activity.
El Reg asked Gevers to comment on Twitter's push-back, and we've not heard back. Gevers, a 44-year-old "grumpy old hacker," previously broke into Trump's Twitter account in 2016. This was done by finding the President's hashed password in the database of users stolen from LinkedIn by miscreants in 2012 and subsequently leaked. The hash was easily cracked as
yourefired, and it turned out the President was using the same passphrase on LinkedIn for his Twitter account, which is followed today by 87 million people.
Earlier this week, the President, funnily enough, drew the infosec community’s ire by declaring “nobody gets hacked" unless it’s by "somebody with 197 IQ and he needs about 15 percent of your password.”
Donald Trump on computer hacking: "Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password."— Ira Goldman 🦆🦆🦆 (@KDbyProxy) October 19, 2020
So, how did Gevers get the idea to probe Trump's profile once again? Last Friday, he got curious when he saw Trump once again in the news in the run up to the 2020 US elections, due to be held on November 3. The hacker tried a bunch of likely passwords for the President's profile, and claims he hit the jackpot on his sixth guess:
“It took five tries on last Friday,” Gevers told El Reg earlier on Thursday, adding that his initial reaction when the password apparently worked was: “Shit. Why! Why him? There goes my weekend.” He also claimed there was no two-factor authentication challenge just like in 2016.
In what must have been more than a mild state of panic, Gevers and his friends, we're told, tried to tell someone, anyone, about the glaring security problem, from administration officials to Twitter itself: “We tried Team Trump, his son, the White House, Twitter security, etc. And also tried to reach him directly via Twitter,” Gevers claimed.
The Dutchman assured us that someone eventually replied on Wednesday, and that Trump’s account has since been secured.
Gevers told Vrij Nederland journalist Gerard Janssen: “Getting access to someone’s Twitter account comes with much more risks than before: you can do more than just recommend Bitcoins and rearrange an account. All of the account interactions are logged and saved.”
Earlier this year, numerous prominent people’s Twitter accounts were hijacked by miscreants who seemingly socially engineered their way into the social network’s backend systems. The crooks used their illicit access to take over profiles and tweet as celebrities to millions of people, tricking the unwary into handing over their Bitcoins.
The White House, that bastion of truth and integrity, on Thursday denied the President's Twitter account had been accessed by Gevers. Trump's tweet to the satirical website, in which he appears to believe it's a legit news article and not a piece of fiction, has also not been deleted. ®