After Dutch bloke claims he hacked Trump's Twitter by guessing password, web biz says there's 'no evidence'

It's saying something when it's easy to believe the US President's passphrase was maga2020!


Donald Trump's Twitter password was easily guessed, and he still isn't using multi-factor authentication, claims a Dutch hacker who on Thursday bragged he broke into the President's account last week. Twitter says it has "no evidence" this claim is true.

Victor Gevers told Vrij Nederland he tried the password maga2020! and found it worked, without any extra authentication required, and also said he may have used the account access to tweet a link to a satirical website as the President. Gevers also provided a screenshot purportedly of him on a profile editing page of Trump's account to prove he gained control of arguably the world’s most important Twitter account.

Twitter was having none of it, though: the password guessing nor the link posting. "We've seen no evidence to corroborate this claim, including from the article published in the Netherlands," a spokesperson told The Register. "We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government."

The social media biz pointed to the mechanisms it had put in place to protect high-value accounts like Trump's, such as the requirement of a strong 10-character-minimum password and the detection and thwarting of suspicious activity.

El Reg asked Gevers to comment on Twitter's push-back, and we've not heard back. Gevers, a 44-year-old "grumpy old hacker," previously broke into Trump's Twitter account in 2016. This was done by finding the President's hashed password in the database of users stolen from LinkedIn by miscreants in 2012 and subsequently leaked. The hash was easily cracked as yourefired, and it turned out the President was using the same passphrase on LinkedIn for his Twitter account, which is followed today by 87 million people.

Earlier this week, the President, funnily enough, drew the infosec community’s ire by declaring “nobody gets hacked" unless it’s by "somebody with 197 IQ and he needs about 15 percent of your password.”

So, how did Gevers get the idea to probe Trump's profile once again? Last Friday, he got curious when he saw Trump once again in the news in the run up to the 2020 US elections, due to be held on November 3. The hacker tried a bunch of likely passwords for the President's profile, and claims he hit the jackpot on his sixth guess: maga2020!

“It took five tries on last Friday,” Gevers told El Reg earlier on Thursday, adding that his initial reaction when the password apparently worked was: “Shit. Why! Why him? There goes my weekend.” He also claimed there was no two-factor authentication challenge just like in 2016.

In what must have been more than a mild state of panic, Gevers and his friends, we're told, tried to tell someone, anyone, about the glaring security problem, from administration officials to Twitter itself: “We tried Team Trump, his son, the White House, Twitter security, etc. And also tried to reach him directly via Twitter,” Gevers claimed.

The Dutchman assured us that someone eventually replied on Wednesday, and that Trump’s account has since been secured.

Gevers told Vrij Nederland journalist Gerard Janssen: “Getting access to someone’s Twitter account comes with much more risks than before: you can do more than just recommend Bitcoins and rearrange an account. All of the account interactions are logged and saved.”

Earlier this year, numerous prominent people’s Twitter accounts were hijacked by miscreants who seemingly socially engineered their way into the social network’s backend systems. The crooks used their illicit access to take over profiles and tweet as celebrities to millions of people, tricking the unwary into handing over their Bitcoins.

The White House, that bastion of truth and integrity, on Thursday denied the President's Twitter account had been accessed by Gevers. Trump's tweet to the satirical website, in which he appears to believe it's a legit news article and not a piece of fiction, has also not been deleted. ®


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022