
Jack Dorsey’s account was hacked - minimaxir
https://www.theverge.com/2019/8/30/20841288/jack-dorsey-ceo-twitter-account-hacked-chuckle-gang-shane-dawson-james-charles
======
philip1209
I don't know how the account was compromised - but, I notice that Twitter's
hardware U2F support is not designed to be very useable. They only allow one
security key per account, whereas most users have multiple - one on the
keychain, one left in the laptop, etc. So, I bet that high-risk accounts like
Jack are not even using this enhanced security mode because of its poor user
experience.

Compare this to Google where every employee is issued multiple hardware keys,
internal systems require security keys, and they put a lot of effort into
their "Advanced Protection Program" to make it useable:
[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

~~~
hammock
Twitter and Google are on completely different planes when it comes to what
data and access they have to protect.

~~~
CobrastanJorji
That's true. One is the President's principle mechanism of speaking with the
American public and firing top officials.

~~~
komali2
If Trump's account got hacked it could quite literally result in the death of
millions.

~~~
philwelch
I’m just curious how you imagine this happening. @realdonaldtrump tweeting “I
HEREBY ORDER...” is not a legally binding order. Launching nuclear missiles or
whatever requires authentication codes and can only be ordered via a portable
radio alongside a series of codebooks, all of which is carried by a military
aide who is always near the President. Another country isn’t going to start a
war based on some weird tweets. It’s an extremely unlikely and weird risk.

~~~
thanatropism
A well crafted message that inflames followers to riot...

I'm the kind of person who, for example, doubted the Covington Kids story from
the beginning. By which I mean I'm not particularly alarmist about a putative
vast right-wing catastrophe taking place. But any popular leader (and he's
very popular among the people he's popular with) can start incidents like that
by accident.

~~~
ryanmarsh
You mean like accusing people of treason? (punishable by death) He’s already
done that from his account. To my knowledge Comey hasn’t been lynched.

~~~
thanatropism
This is true. Trump is so loud the whole time that it's hard to take him very
seriously, even for his supporters.

------
rtempaccount1
I'll be interested to see the post-mortem on this breach for sure.

As an outsider, I would have thought that the Twitter security team would have
a set of high-value users (with @jack being at the top of the list) who'd they
keep very close tabs on in terms of any unusual activity.

Realistically Twitter is where announcements are made by world leaders and
major corporations, control of these accounts could have repercussions,
although in this case it just seems to have been a general hack...

~~~
riffic
>where announcements are made by world leaders and major corporations, control
of these accounts could have repercussions

That control should not be solely in Twitter's hands.

Those leaders and orgs need to take a strong look at authenticity via
ActivityPub self-hosted on their own namespaces.

~~~
reissbaker
Self-hosting and security don't necessarily go hand-in-hand. For laypeople,
self-hosting is usually worse: they don't know what threats to protect
against, and even if they knew what to protect against they wouldn't know how.

And Twitter is where the audience is.

~~~
riffic
By self-hosting I would propose the Gmail/G Suite model. Managed service but
the organization controls users and the DNS.

~~~
mlthoughts2018
That’s not usually known as “self hosting”

~~~
cameronbrown
No but owning the namespace is important. It puts you, not Twitter, in the
driver's seat.

------
anigbrowl
A better report: [https://www.theverge.com/2019/8/30/20841288/jack-dorsey-
ceo-...](https://www.theverge.com/2019/8/30/20841288/jack-dorsey-ceo-twitter-
account-hacked-chuckle-gang-shane-dawson-james-charles)

The fact that the account was used to spread racist & nazi propaganda should
be a clue; timing it for 1pm on a Friday afternoon suggests a degree of
sophistication.

~~~
ceejayoz
Why is 1pm on a Friday significant?

~~~
anigbrowl
Because people in the same timezone are mostly at lunch and starting to relax
for the weekend, so the potential audience is large. I wasn't thinking of
anything market-related as another person suggested.

~~~
Phillipharryt
You're probably right. After-hours trading is so large these days that the big
movers don't care when the news is announced.

------
tempsy
At first I thought the blame would be mostly on the cell providers but it
seems Twitter deserves at least half the blame here.

I just tested the flow. If your phone is linked to your account, regardless of
your 2FA settings you can just start tweeting to your account by texting to
40404 without being asked to enter a password and completely bypassing any 2FA
settings on your account.

That seems highly unusual to me. Most of these attacks happen with the hacker
knowing the password as well. In this case, so long as you’ve successfully
ported the number you’re “in”.

~~~
exolymph
Even worse than that, removing your phone number will _silently_ disable all
other 2FA methods, even if you already had SMS 2FA turned off. The only way to
prevent your phone number from being used in account recovery is to disable
2FA altogether, because Twitter does not allow any 2FA without a phone number
attached to the account. It's appalling.

~~~
techntoke
Yes, actually they do allow 2FA without a phone number attached to the account
and I have set this up multiple times.

~~~
enra
How? I just tried it and you need to add your phone number in order to enable
the 2fa. After you setup the app 2fa, and go the the phone tab and hit delete
number it will also remove the 2fa. Also it allows this without entering
password or 2fa which is bizarre

~~~
techntoke
I'm going to have to apologize on this. I did it before the recent site
change, but I don't see anyway to do it now.

------
minimaxir
It's worth noting the client is Cloudhopper: that has been compromised before.

[https://twitter.com/gruber/status/859857475146854402](https://twitter.com/gruber/status/859857475146854402)

~~~
empyrical
Here's some background on what "Cloudhopper" is:

[https://twitter.com/bhaggs/status/1090016722415845376](https://twitter.com/bhaggs/status/1090016722415845376)

~~~
soneca
And a reply to that tweet mentions that it was used to hack other accounts
before:

 _" I know this is an old Tweet. But are you helping out with Shrouds jacked
account? Looks like whoever took over the account is using Cloudhopper to post
these hateful messages on Shrouds Timeline."_

------
paulpauper
seems like a a waste of a hack posting some messages that are quickly deleted
and forgotten with no long term gain. I would have done the eth/btc giveaway
scam thing and at least made good $ off it. Its like being smart in some
regard, such as hacking, but dumb in others , such as maximizing the gain from
the hack.

~~~
thermonot
The hacker could have said he is stepping down from TWTR because of massive
financial fraud, and make money by trading TWTR.

~~~
jes
Is it possible to make a substantial amount of money on such schemes while
evading detection and subsequent prosecution?

[https://www.marketwatch.com/story/to-catch-a-thief-how-
nasda...](https://www.marketwatch.com/story/to-catch-a-thief-how-nasdaq-
watches-for-insider-trading-2016-06-09)

~~~
thermonot
You don't do it by selling TWTR one minute before the hack.

You use your brain a little. You prepare your positions months in advance, and
hedge out market risks.

You can also use less regulated brokers in far away places and trade TWTR
derivatives.

~~~
Phillipharryt
Ok but brokers aren't less regulated, exchanges are, and Twitter isn't traded
on every exchange.

------
jpmattia
I can only imagine the possibilities if the president's account were hacked.

~~~
daenz
Fortunately the hackers always seem to speak like excited teenagers instead of
impersonating the people they hack.

~~~
pat87
“speak like excited teenagers”

So does the president

~~~
drngdds
I get more of a "grouchy geriatric in the early stages of dementia" vibe

------
Havoc
Embarrassing but inconsequential

------
Medicalidiot
This is a dumb question and want to qualify with my field is medicine, not
technology: would one have the same username and password on the web facing
side of a website as the backend of things (having access to servers or I have
no idea what else one would do)? I have no idea how any of this works, but am
curious if this would be the case.

~~~
esotericn
Could you? Sure.

Would you? Not unless you were completely batshit insane.

~~~
Medicalidiot
How often does this happen?

~~~
hermitdev
Very frequently. Off the cuff, I'd estimate that 99% of not tech-savy users
utilize the same password for everything, maybe with subtle variations
according whatever service's requirements for a password.

Probably among tech savy people, the perecentage is lower, but still higher
than it should be.

I myself, having been in IT for over 20 years, am guilty of this for non
sensitive accounts. For significant accounts, they're randomly generated to
the longest and highest degree a service allows. My gmail password, for
instance is a 40 character random spread along their allowed characters. I
cannot remember it.

------
throwawayxc
This hack is a symptom of a much bigger loss of control. Twitter is an
absolute dumpster fire at this point. The troll armies are spreading across
borders, creating a self-reinforcing cacophony of hate. Blue checkmarks
continue to act with impunity, and when they are given a slap on the wrist,
they turn their hordes on Twitter itself. Then there are the blue checkmark
propaganda Tweet rings, and multi-admin verified accounts spread across
multiple countries, which make a mockery of the concept of a verified account.

Twitter seems incapable of dealing with these issues. If Twitter died
tomorrow, or split the platform into multiple namespaces, the world would be a
better place, especially since it seems to have a disproportionate hold on the
minds of journalists.

------
tylerjaywood
Vulnerability in their 2fa or did @jack just not have it turned on?

~~~
0x00000000
Couldn’t he have just gotten phished?

~~~
pabl8k
Some forms of 2FA are unphishable. If he used Authy or SMS, where you type in
a code that can be intercepted in replayed within a window, yes. If he had set
up a hardware key like U2F (like a yubikey), no.

edit because I can't reply: for twitter you have to remove your phone number.
I keep TOTP active as a backup, but might not if I had a highly followed
account.

~~~
dmoy
Does twitter let you disable sms/authy fallback if you are using u2f? Many
websites don't.

------
CM30
Hmm, apparently the people behind this have been behind quite a few high
profile Twitter account hacks recently. They also hacked the account of a
gaming YouTuber called Etika, as well as others like Shane Dawson and James
Charles:

[https://knowyourmeme.com/memes/events/chuckling-squad-
hacks](https://knowyourmeme.com/memes/events/chuckling-squad-hacks)

Wonder if the affected users all used the same system in the past?

~~~
sdan
These high-level Youtubers used 2Fac with their phones, which nowadays is easy
to port (port their phone numbers to your SIM using social hacking).

Only if they (and jack) used a FIDO U2F key would they be really safe.

~~~
zenexer
Does Twitter even permit that? If I recall correctly, it forces SMS 2FA.

In this case, Jack's account would've been compromised regardless because the
tweets were sent via a third-party application that he had authorized to use
his account.

------
pascalxus
We've seen this movie before. We've seen numerous stories like this over the
last 5 years. The phone number get ported to another phone by hackers. And
then they start resetting all the person's accounts. SMS is no longer a safe
2FA. We need to get cell phone providers to secure phone numbers better. at
the very least they should allow all their users to provide a PIN before
porting!

------
redthrowaway
Unconfirmed, but there's a suggestion the "hack" was an SMS spoof on
Cloudhopper, an SMS-to-Tweet platform Twitter acquired 10 years ago:

[https://twitter.com/GossiTheDog/status/1167533000592109568](https://twitter.com/GossiTheDog/status/1167533000592109568)

------
bit_4l
If it’s that easy to hack Jack’s Twitter account then we should think twice
about its safety. Sounded like a joke.

------
iconjack
If one is interested at all in the Twitter CEO's account being hacked, you
want to know what they did with it, i.e. what did they tweet? Notice that none
of these news sources actually told us what was tweeted (e.g. FUCK NIGGERS).
JFC, we're adults—just tell us what was tweeted.

~~~
kd5bjo
I don't understand how providing further distribution of these messages helps
anyone other than the attackers, whose obvious goal was to get these messages
seen by lots of people. Why else would they be posting them via a high-profile
Twitter account?

------
phantom_oracle
The psychology behind what hackers say in these high-profile attacks is far
more interesting than the account takeover itself.

Some of them say racist things or speak about Hitler because they know it will
attract far more attention than say: posting a link to some shady website to
spread malware.

------
joshmn
Don't forget to rotate your credentials and revoke any unused applications,
ladies and gentlemen.

------
miguelmota
Does anyone know anything about the service Jack was using called CloudHopper?
The official website appears dead
[http://www.cloudhopper.com/](http://www.cloudhopper.com/)

~~~
jazzychad
It was the provider that handled the SMS gateway for posting tweets through
the 40404 short code. The prevailing theory is that his account was hijacked
using SIM swapping, and the hijackers tweeted through SMS. Cloudhopper is
still the name of the "twitter app" that gets attribution for tweets posted
through SMS.

~~~
bifrost
I got some more intel on this -> unlikely sim swapped, probably just number
spoofing. The "quality" of the "hackers" indicates this is the work of
skiddies rather than an actual hack.

~~~
Stevvo
Ahh, the old 90s "skiddies" trope. Aka "I wish I had thought of that first.

~~~
bifrost
Indeed! Its a pity "rootshell" is gone, otherwise this would be a popular
topic there lol.

------
davidp670
Looks like it's gone now but there was a Tweet from Jack's account that said,
"Unsuspend my shit @plugwalkjoe @percocet @99 u bald skeleton head tramp"

~~~
miguelmota
Here's a screenshot of that and some of the retweets:

[https://imgur.com/a/7jm6JkE](https://imgur.com/a/7jm6JkE)

You can see them on the web archive:

[https://web.archive.org/web/20190830200105/twitter.com/jack](https://web.archive.org/web/20190830200105/twitter.com/jack)

~~~
Deimorz
Screenshots of more of the tweets, not sure if this is all of them (warning:
includes racial slurs and similar):

[https://pbs.twimg.com/media/EDPrA0lWkAcFxc2?format=jpg&name=...](https://pbs.twimg.com/media/EDPrA0lWkAcFxc2?format=jpg&name=large)

[https://pbs.twimg.com/media/EDPrCh4XkAA3i9W?format=jpg&name=...](https://pbs.twimg.com/media/EDPrCh4XkAA3i9W?format=jpg&name=large)

[https://pbs.twimg.com/media/EDPrDLJWsAEySy-?format=jpg&name=...](https://pbs.twimg.com/media/EDPrDLJWsAEySy-?format=jpg&name=large)

[https://pbs.twimg.com/media/EDPrDxXXkAEoeKQ?format=jpg&name=...](https://pbs.twimg.com/media/EDPrDxXXkAEoeKQ?format=jpg&name=large)

------
fortran77
Maybe this will bring some attention to the horrible security that mobile
providers have, and how they can be easily made to reassign your active number
to someone else.

------
ETHisso2017
Hmmm what's stopping someone from hacking Trump's twitter account and
announcing things that would swing the stock market?

"I am now placing sanctions on the Bank of China and PetroChina for North
Korean oil sales" "I am now announcing Magnitsky sanctions on [insert Central
Committee members here] for Xinjiang" "The whole country of China is now
subject to technology sanctions" "I am now placing tariffs on German cars
until Germany cancels Nord Stream" "I am banning US companies who source
components from China from participating in federal contracts"

or even positive news like "Tomorrow, my great friend Xi Jinping and I will
announce a wonderful deal with China that lifts all tariffs, solves IP issues,
and lets our great economy invest in theirs and vice versa"

~~~
panarky
Instead of posting bullshit on @jack's timeline, what about "I'm thrilled to
announce Twitter is being acquired by Amazon for $82 a share."

~~~
mandeepj
No point. All trades made can be reversed especially based on false news

------
palisade
This might be an unpopular opinion. But, I found this pretty funny.

------
lazzlazzlazz
Is this interesting? Not a shit post question - do routine minor security
breaches rise to the level of noteworthy these days?

~~~
jordanpg
That was my first thought too -- it seems profound, although it's difficult to
articulate why. It's not like high-profile individuals have special security
protocols available to them. Just the same password/2FA like the rest of us
proles.

On the other hand, it did make me consider that there are some accounts that
could be compromised that would be _very_ significant: Trump.

~~~
beardog
Although technically available to anyone, Google has an "advanced protection
program" for highly targeted accounts. It has the follow (may have missed
some) effects on your account:

* locked to 2fa with security keys * limiting the set of apps that can access account data * better scrutinized account reset - i assume this means it makes your account more resistant to phishing on Google employee's part.

[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

Its nice that Google apparently makes this available to anyone who is willing
to buy the security keys. It would be nice if all major social media services
had such a program.

~~~
hermitdev
Not sure if this falls into the advanced protection for Google, but about a
year or two ago, got a notification of a suspicious login from Moscow (I'm
from the US and have never travelled out of North America). Promptly changed
my password.

------
ghobs91
If it's this easy to hack Trump's Twitter account and say things that could
trigger war, maybe we need to reconsider allowing elected officials to use
social media as their official communications channel. Instead, they should
have a government run portal where they relay whatever info they need to.

~~~
flixic
I'd wager that government-run portals might be even easier to hack.

Regardless of that, separating "official communications" from "personal" would
be really tricky. Which tweets would come as "the current president" and which
as "the candidate up for re-election"?

In addition to that, there are actually separate accounts (official @POTUS /
personal @realDonaldTrump) but Trump-the-person has no incentive to ever use
the official account (it's not "his") and so all @POTUS account does is just
retweet the personal account, sort of defeating the purpose.

~~~
paulpauper
look at Equifax for example: huge organization yet undone by very elementary
errors

------
taytus
Please, and in all honesty and with zero trolling intentions, but please,
could someone explain to me why the #NIXXXX hashtag is not banned? To be
honest, that's the only thing I care to understand. I would really appreciate
if you can educate me. Thank you.

------
iikoolpp
Did he really get hacked or did he just get his phone back from his PR team?

------
rvz
Move along now, nothing to see here, just another user getting their account
hacked and forgot to enable 2FA on their account.

On a serious note the people who hacked Jack and several others are called
#ChucklingSquad. So actually be cautious of protecting your account.

~~~
sarcasmatwork
Just another user? Dont think the CEO of twitter is just another user. Funny
he did not do 2FA tho. hah!

~~~
nodesocket
Maybe his 2FA was compromised by mobile number transfer (that would be very
bad).

~~~
empyrical
This _may_ be the case:

[https://www.treyexgaming.com/index.php/2019/08/26/how-the-
sa...](https://www.treyexgaming.com/index.php/2019/08/26/how-the-same-hacker-
has-hacked-over-10-content-creators/)

These appear to have been done by the same people who compromised Jack

