
Jack Dorsey has account hacked - stuartmemo
https://www.bbc.co.uk/news/technology-49532244
======
dang
[https://news.ycombinator.com/item?id=20841976](https://news.ycombinator.com/item?id=20841976)

------
CiPHPerCoder
From 'minimaxir:
[https://news.ycombinator.com/item?id=20842045](https://news.ycombinator.com/item?id=20842045)

> It's worth noting the client is Cloudhopper: that has been compromised
> before.

>
> [https://twitter.com/gruber/status/859857475146854402](https://twitter.com/gruber/status/859857475146854402)

Looking up the hashtag the attackers used, I came across this blog post
alleging the problem being AT&T's:
[https://www.treyexgaming.com/index.php/2019/08/26/how-the-
sa...](https://www.treyexgaming.com/index.php/2019/08/26/how-the-same-hacker-
has-hacked-over-10-content-creators/)

Food for thought.

Regardless of whether the alleged source of insecurity is what happened here,
SMS-based authentication was a mistake.

~~~
minimaxir
Another thread about Cloudhopper:
[https://twitter.com/psythor/status/1167528597671878657?s=21](https://twitter.com/psythor/status/1167528597671878657?s=21)

------
CrankyBear
It wasn't the first time: [https://www.theverge.com/2016/7/9/12134754/ceo-
jack-dorseys-...](https://www.theverge.com/2016/7/9/12134754/ceo-jack-dorseys-
twitter-account-hack) Maybe it's time to take security a wee bit more
seriously Jack.

------
ghobs91
If it's this easy to hack Trump's Twitter account and say things that could
trigger war, maybe we need to reconsider allowing elected officials to use
social media as their official communications channel. Instead, they should
have a government run portal where they relay whatever info they need to.

~~~
0xffff2
As if that portal would somehow be more secure?

~~~
anigbrowl
Likely, yes. Perfect security might be impossible but I hear some people
competent people remain in the DoD and NSA despite the administration's
efforts.

------
foobar_
People need to implement PGP for login and message signatures for showing
authenticity.

~~~
CiPHPerCoder
Some sort of PAKE backed by U2F/WebAuthn would be worth considering.

PGP is not. [https://latacora.singles/2019/07/16/the-pgp-
problem.html](https://latacora.singles/2019/07/16/the-pgp-problem.html)

~~~
foobar_
What about Nacl?

