Hacker News new | past | comments | ask | show | jobs | submit login
Jack Dorsey’s account was hacked (theverge.com)
155 points by minimaxir 50 days ago | hide | past | web | favorite | 167 comments



I don't know how the account was compromised - but, I notice that Twitter's hardware U2F support is not designed to be very useable. They only allow one security key per account, whereas most users have multiple - one on the keychain, one left in the laptop, etc. So, I bet that high-risk accounts like Jack are not even using this enhanced security mode because of its poor user experience.

Compare this to Google where every employee is issued multiple hardware keys, internal systems require security keys, and they put a lot of effort into their "Advanced Protection Program" to make it useable: https://landing.google.com/advancedprotection/


Twitter and Google are on completely different planes when it comes to what data and access they have to protect.


That's true. One is the President's principle mechanism of speaking with the American public and firing top officials.


“principal”


If Trump's account got hacked it could quite literally result in the death of millions.


I’m just curious how you imagine this happening. @realdonaldtrump tweeting “I HEREBY ORDER...” is not a legally binding order. Launching nuclear missiles or whatever requires authentication codes and can only be ordered via a portable radio alongside a series of codebooks, all of which is carried by a military aide who is always near the President. Another country isn’t going to start a war based on some weird tweets. It’s an extremely unlikely and weird risk.


If North Korea did have a means of delivering nukes with ICBMs, and this previous type of thing: https://twitter.com/realdonaldtrump/status/94835555702242099...

had escalated more, I don't think it's too far-fetched to imagine an unstable dictator sending off a nuke after being goaded on twitter.

I think it's within the realms of possibility at the very least, although very unlikely (mostly because NK hasn't got a decent delivery system, their nukes aren't very advanced/portable yet and Kim Jong Un's probably not too keen for NK to be destroyed in retaliation).

Given Trump's recent tweet of the spy satellite image, and the apparent taunting of Iran, it's also possible that type of thing could be responsible for triggering future terrorist attacks (although obviously that's not millions of people).


Terrorists and rogue dictators are often described as "unstable" or "irrational", but they tend to be rational within certain boundaries. For example, if you actually believe the nonsense about an afterlife filled with dozens of virgin concubines, suicide bombing becomes a rational decision, aside from being motivated by an irrational belief. Likewise, Kim's strategy follows the basic form of hostage-taking. If Kim actually "sent off a nuke", he would lose much of his leverage, just as a hostage taker loses leverage as soon as he starts killing hostages.


His tweets regularly have material impact on the markets.


But how would that kill millions of people? There’s a super indirect chain of events there.


Imagine triggering a global depression.

Imagine what effect that would have on already-pressured populations across the globe.


A well crafted message that inflames followers to riot...

I'm the kind of person who, for example, doubted the Covington Kids story from the beginning. By which I mean I'm not particularly alarmist about a putative vast right-wing catastrophe taking place. But any popular leader (and he's very popular among the people he's popular with) can start incidents like that by accident.


You mean like accusing people of treason? (punishable by death) He’s already done that from his account. To my knowledge Comey hasn’t been lynched.


This is true. Trump is so loud the whole time that it's hard to take him very seriously, even for his supporters.


Ok but what “riot” in human history has killed MILLIONS of people? The Rwandan genocide was pretty close, except the groundwork for inciting it was laid over the course of months via state radio and they imported machetes into the country before the message was sent to “cut down the tall trees”. A compromised Twitter account isn’t going to do it.


More likely is that some Russian or Chinese hackers would make statements that tank the stock market. While setting up some short positions immediately prior.


The funny part about this is that if we are to believe Trump is a Manchurian candidate, they already did this with the trade war.


Imagine if you were an intelligence agency and you were permitted to surveil American communications, and there was this pesky congressman who didn't want to support your organization, so you collect lewd photos of him from his phone and post them on his Twitter repeatedly.

You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."

Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein...


> Imagine if you were an intelligence agency and you were permitted to surveil American communications, and there was this pesky congressman who didn't want to support your organization, so you collect lewd photos of him from his phone and post them on his Twitter repeatedly.

> You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."

> Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein....

I may be dense but it was not clear to me what the point in linking to the votesmart site was? Is it the change between pro/against for patriot act?


> collect lewd photos of him from his phone and post them on his Twitter repeatedly

He's suggesting that anthony weiner was "framed" by some 3-letter agency.


Yeah. On Twitter you can potentially impersonate the President and cause weeks/months of political chaos by calling someone the N-word or something similar.


This raises an interesting question. Such an attacker would need to craft a tweet with the following constraints:

* Plausible so that people do not believe it is a compromise

* Offensive enough to cause action

* Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.

This is probably harder than it seems at first glance.


"I am now reviewing papers to double the tariffs against China. I will win this trade war no matter what."


> This raises an interesting question. Such an attacker would need to craft a tweet with the following constraints:

> * Plausible so that people do not believe it is a compromise

> * Offensive enough to cause action

> * Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.

> This is probably harder than it seems at first glance.

Is the third bullet even a thing after the whole Greenland debacle? Before then I had already thought I'd heard it all.


And? If you want your company to avoid becoming a headline, you need the best security you can afford.


I use U2F everywhere and can tell you that Twitter's usability with U2F is really poor. Can't remember why I stopped using U2F on twitter, but it's probably because of that fact that I couldn't use multiple keys.


Is it worth considering advanced protection as a normal person? Would it make life a pain in the butt?


I'll be interested to see the post-mortem on this breach for sure.

As an outsider, I would have thought that the Twitter security team would have a set of high-value users (with @jack being at the top of the list) who'd they keep very close tabs on in terms of any unusual activity.

Realistically Twitter is where announcements are made by world leaders and major corporations, control of these accounts could have repercussions, although in this case it just seems to have been a general hack...


I don't think "keep very close tabs on" can prevent an attack on an account before it happens. All it can do is help clean up the damage quickly. Which is what happened here. The offending tweets were deleted in 10-15 minutes. That's a pretty good response time.

What could prevent an attack is limiting the features available to high-value users. One could imagine, for example, limiting 3rd party API access. Depending on what actually happened here, that might have prevented this. But there is a downside of reduced functionality for the owners of the accounts in question. There's always tradeoffs.


I'd agree that there are always trade offs however, you could do a number of things to detect an active attack, changes in user agent, location etc can be detected and flagged for review. Now that's not possible at scale, but for high value users,it would seem like a not outrageous countermeasure.


they've confirmed jack's SIM was hijacked. no amount of 3rd party API stuff canhelp there


Why can his password even be reset remotely, and not something done by other company employees (HR, etc)?

In an enterprise setting where people work in an office I don’t see the point of allowing self-service password resets. It opens you to huge risk for very little upside compared to having to physically walk into the office (if you aren’t there already) and have HR/line manager/etc do it for you.


i mean its easy to say after the fact but i guarantee you most CEOs dont think to do this until theyve been hacked.


It's the same idea though: they could turn off posting via SMS for high value accounts.


no once they pwn your number its a 2FA vector so they get full control


I believe they do keep close tabs on high profile accounts. I happened to notice it in my feed when the news hadn't broken out yet (took a couple of screenshots out of surprise too). The team quickly took all of it down as and when they were being posted. It lasted for about 10minutes or so. The hackers were adding mentions to other accounts which were immediately suspended by the folks at Twitter too.


I think most of the suspicions so far have been pointing to a sim swapping attack.


Hopefully if that's the case, more attention will be paid to the fact that using mobile phones for 2FA or identification on high value services is a bad idea :)


Using phones is fine, using phone numbers is the problem. TOTP is great


Until the authenticator app which holds the TOTP secrets in clear text is on the same phone as you are using to access the website/app in question to start with. Then you'd probably be better off instead storing a token in the secure enclave in the app itself instead.


I don't understand why people do that. Your 2nd authentication factor should not be something relying on the same device that you're using.


It reduces the set of people who can access your account from "people with the password" to "people with the password and access to my phone."

It's less like a 2nd factor and more like a poor man's password-protected private key authentication, but it's way better than just a password.


TOTP is OK (probably would have been adequate for @jack).

U2F is "great".

TOTP can be phished, whereas U2F is virtually impossible to phish.


>where announcements are made by world leaders and major corporations, control of these accounts could have repercussions

That control should not be solely in Twitter's hands.

Those leaders and orgs need to take a strong look at authenticity via ActivityPub self-hosted on their own namespaces.


Self-hosting and security don't necessarily go hand-in-hand. For laypeople, self-hosting is usually worse: they don't know what threats to protect against, and even if they knew what to protect against they wouldn't know how.

And Twitter is where the audience is.


By self-hosting I would propose the Gmail/G Suite model. Managed service but the organization controls users and the DNS.


That’s not usually known as “self hosting”


No but owning the namespace is important. It puts you, not Twitter, in the driver's seat.


Jack's account is self-hosted on a website he runs. It just happens to be Twitter dot com.


That's a view for sure, however it seems that some world leaders and corporations have decided that the trade offs are worth the risk...


Top of the list should be all presidents, starting with the US.


A better report: https://www.theverge.com/2019/8/30/20841288/jack-dorsey-ceo-...

The fact that the account was used to spread racist & nazi propaganda should be a clue; timing it for 1pm on a Friday afternoon suggests a degree of sophistication.


Looks like big standard troll content.

1pm is sophisticated in which timezone?


I decided not to include links to the overt nazi/racist content.


Why is 1pm on a Friday significant?


Because people in the same timezone are mostly at lunch and starting to relax for the weekend, so the potential audience is large. I wasn't thinking of anything market-related as another person suggested.


You're probably right. After-hours trading is so large these days that the big movers don't care when the news is announced.


Markets close at 1pm PT/4pm ET though I wouldn’t think investors would care (and judging by lack of movement it seems to be the case)


1pm PT is 4pm ET, and as we know from cron, 4pm is teatime.


I wish I were so subtle!


Ok, we'll change the URL to that. Thanks!


At first I thought the blame would be mostly on the cell providers but it seems Twitter deserves at least half the blame here.

I just tested the flow. If your phone is linked to your account, regardless of your 2FA settings you can just start tweeting to your account by texting to 40404 without being asked to enter a password and completely bypassing any 2FA settings on your account.

That seems highly unusual to me. Most of these attacks happen with the hacker knowing the password as well. In this case, so long as you’ve successfully ported the number you’re “in”.


Even worse than that, removing your phone number will _silently_ disable all other 2FA methods, even if you already had SMS 2FA turned off. The only way to prevent your phone number from being used in account recovery is to disable 2FA altogether, because Twitter does not allow any 2FA without a phone number attached to the account. It's appalling.


Yes, actually they do allow 2FA without a phone number attached to the account and I have set this up multiple times.


How? I just tried it and you need to add your phone number in order to enable the 2fa. After you setup the app 2fa, and go the the phone tab and hit delete number it will also remove the 2fa. Also it allows this without entering password or 2fa which is bizarre


I'm going to have to apologize on this. I did it before the recent site change, but I don't see anyway to do it now.


This was the original use case of Twitter, to allow social media from dumb phones.


It's worth noting the client is Cloudhopper: that has been compromised before.

https://twitter.com/gruber/status/859857475146854402


Here's some background on what "Cloudhopper" is:

https://twitter.com/bhaggs/status/1090016722415845376


And a reply to that tweet mentions that it was used to hack other accounts before:

"I know this is an old Tweet. But are you helping out with Shrouds jacked account? Looks like whoever took over the account is using Cloudhopper to post these hateful messages on Shrouds Timeline."


I wonder if Jack is a victim of a SIM port hack?


seems like a a waste of a hack posting some messages that are quickly deleted and forgotten with no long term gain. I would have done the eth/btc giveaway scam thing and at least made good $ off it. Its like being smart in some regard, such as hacking, but dumb in others , such as maximizing the gain from the hack.


The hacker could have said he is stepping down from TWTR because of massive financial fraud, and make money by trading TWTR.


Doing so would make it really easy to trace it back to him, if he decides to make a trade big enough. The data of all trades on public markets is, after all, public.


Is it possible to make a substantial amount of money on such schemes while evading detection and subsequent prosecution?

https://www.marketwatch.com/story/to-catch-a-thief-how-nasda...


There are a couple offshore companies that let you buy/sell stocks with Bitcoin semi-anonymously. The problem is you can't short, so your attack has to result in pumping the stock: "Taking Twitter private at $420 a share".


You don't do it by selling TWTR one minute before the hack.

You use your brain a little. You prepare your positions months in advance, and hedge out market risks.

You can also use less regulated brokers in far away places and trade TWTR derivatives.


Ok but brokers aren't less regulated, exchanges are, and Twitter isn't traded on every exchange.


If you want jail time, insurance fraud is probably a tad quicker.


except that governments would quickly try to freeze the banks and stock accounts


There are millions of traders trading randomly (see r/wsb). Good luck spotting the one belonging to the hacker.


This is one information theory war against the FBI I can almost promise you would lose.


The "hacker" called AT&T and conned the call center rep into swapping Jack's SIM. It's not like they exploited a buffer overflow on Twitter's authentication service or something. They aren't smart.


I guess this is the "in for a penny, in for a pound" school of thought?

(If you're going to be arrested for CFAA violations, might was well throw in some financial crimes too. Make sure you're unemployable for the rest of your life.)


This is currently on every news channel and the content was pure trolling, no politics or agenda besides pushing some Discord channel. So seems like a win to me.


I can only imagine the possibilities if the president's account were hacked.


Fortunately the hackers always seem to speak like excited teenagers instead of impersonating the people they hack.


“speak like excited teenagers”

So does the president


I get more of a "grouchy geriatric in the early stages of dementia" vibe


Well, he's already cheerfully posting photos of classified satellite Intel, so how bad can it be?


[flagged]


Why do you say the account is unhinged and not taken seriously? Is this just your political bias showing?


Embarrassing but inconsequential


This is a dumb question and want to qualify with my field is medicine, not technology: would one have the same username and password on the web facing side of a website as the backend of things (having access to servers or I have no idea what else one would do)? I have no idea how any of this works, but am curious if this would be the case.


Could you? Sure.

Would you? Not unless you were completely batshit insane.


Why would this make you batshit insane? Would a long enough password negate this or would you never want the login to be obscure?

I appreciate the answers here!


In general, you shouldn't ever reuse a password for multiple things, no matter how complex the password is (see https://xkcd.com/792/). If your password is leaked (which might not even be your fault), you don't want the attackers getting access to everything.

A large website is made up of many different complex, interconnected components, and it would be quite possible for an attacker to compromise a public account without gaining full control of the backend infrastructure is unaffected.


How often does this happen?


Very frequently. Off the cuff, I'd estimate that 99% of not tech-savy users utilize the same password for everything, maybe with subtle variations according whatever service's requirements for a password.

Probably among tech savy people, the perecentage is lower, but still higher than it should be.

I myself, having been in IT for over 20 years, am guilty of this for non sensitive accounts. For significant accounts, they're randomly generated to the longest and highest degree a service allows. My gmail password, for instance is a 40 character random spread along their allowed characters. I cannot remember it.


I'm sure it happens plenty. people are unaware, forgetful and lazy.


This hack is a symptom of a much bigger loss of control. Twitter is an absolute dumpster fire at this point. The troll armies are spreading across borders, creating a self-reinforcing cacophony of hate. Blue checkmarks continue to act with impunity, and when they are given a slap on the wrist, they turn their hordes on Twitter itself. Then there are the blue checkmark propaganda Tweet rings, and multi-admin verified accounts spread across multiple countries, which make a mockery of the concept of a verified account.

Twitter seems incapable of dealing with these issues. If Twitter died tomorrow, or split the platform into multiple namespaces, the world would be a better place, especially since it seems to have a disproportionate hold on the minds of journalists.


Vulnerability in their 2fa or did @jack just not have it turned on?


Looks like a sidestep around it using an SMS bridge that got hit with an AT&T internal breach.


Twitter has option of using 2FA with a authenticator app though if this is an ATT issue he must’ve fallen victim to a port attack and must’ve been using SMS based 2FA (which many would argue is not really 2FA at all)


Couldn’t he have just gotten phished?


Some forms of 2FA are unphishable. If he used Authy or SMS, where you type in a code that can be intercepted in replayed within a window, yes. If he had set up a hardware key like U2F (like a yubikey), no.

edit because I can't reply: for twitter you have to remove your phone number. I keep TOTP active as a backup, but might not if I had a highly followed account.


Does twitter let you disable sms/authy fallback if you are using u2f? Many websites don't.


One point of 2FA is to protect from phishing.


I was thinking exactly the same. Surely, surely he had 2fa on


Hmm, apparently the people behind this have been behind quite a few high profile Twitter account hacks recently. They also hacked the account of a gaming YouTuber called Etika, as well as others like Shane Dawson and James Charles:

https://knowyourmeme.com/memes/events/chuckling-squad-hacks

Wonder if the affected users all used the same system in the past?


These high-level Youtubers used 2Fac with their phones, which nowadays is easy to port (port their phone numbers to your SIM using social hacking).

Only if they (and jack) used a FIDO U2F key would they be really safe.


Does Twitter even permit that? If I recall correctly, it forces SMS 2FA.

In this case, Jack's account would've been compromised regardless because the tweets were sent via a third-party application that he had authorized to use his account.


We've seen this movie before. We've seen numerous stories like this over the last 5 years. The phone number get ported to another phone by hackers. And then they start resetting all the person's accounts. SMS is no longer a safe 2FA. We need to get cell phone providers to secure phone numbers better. at the very least they should allow all their users to provide a PIN before porting!


Unconfirmed, but there's a suggestion the "hack" was an SMS spoof on Cloudhopper, an SMS-to-Tweet platform Twitter acquired 10 years ago:

https://twitter.com/GossiTheDog/status/1167533000592109568


If it’s that easy to hack Jack’s Twitter account then we should think twice about its safety. Sounded like a joke.


If one is interested at all in the Twitter CEO's account being hacked, you want to know what they did with it, i.e. what did they tweet? Notice that none of these news sources actually told us what was tweeted (e.g. FUCK NIGGERS). JFC, we're adults—just tell us what was tweeted.


I don't understand how providing further distribution of these messages helps anyone other than the attackers, whose obvious goal was to get these messages seen by lots of people. Why else would they be posting them via a high-profile Twitter account?


The psychology behind what hackers say in these high-profile attacks is far more interesting than the account takeover itself.

Some of them say racist things or speak about Hitler because they know it will attract far more attention than say: posting a link to some shady website to spread malware.


Don't forget to rotate your credentials and revoke any unused applications, ladies and gentlemen.


Does anyone know anything about the service Jack was using called CloudHopper? The official website appears dead http://www.cloudhopper.com/


It was the provider that handled the SMS gateway for posting tweets through the 40404 short code. The prevailing theory is that his account was hijacked using SIM swapping, and the hijackers tweeted through SMS. Cloudhopper is still the name of the "twitter app" that gets attribution for tweets posted through SMS.


I got some more intel on this -> unlikely sim swapped, probably just number spoofing. The "quality" of the "hackers" indicates this is the work of skiddies rather than an actual hack.


Ahh, the old 90s "skiddies" trope. Aka "I wish I had thought of that first.


Indeed! Its a pity "rootshell" is gone, otherwise this would be a popular topic there lol.


Looks like it's gone now but there was a Tweet from Jack's account that said, "Unsuspend my shit @plugwalkjoe @percocet @99 u bald skeleton head tramp"


Here's a screenshot of that and some of the retweets:

https://imgur.com/a/7jm6JkE

You can see them on the web archive:

https://web.archive.org/web/20190830200105/twitter.com/jack




Maybe this will bring some attention to the horrible security that mobile providers have, and how they can be easily made to reassign your active number to someone else.


Hmmm what's stopping someone from hacking Trump's twitter account and announcing things that would swing the stock market?

"I am now placing sanctions on the Bank of China and PetroChina for North Korean oil sales" "I am now announcing Magnitsky sanctions on [insert Central Committee members here] for Xinjiang" "The whole country of China is now subject to technology sanctions" "I am now placing tariffs on German cars until Germany cancels Nord Stream" "I am banning US companies who source components from China from participating in federal contracts"

or even positive news like "Tomorrow, my great friend Xi Jinping and I will announce a wonderful deal with China that lifts all tariffs, solves IP issues, and lets our great economy invest in theirs and vice versa"


Instead of posting bullshit on @jack's timeline, what about "I'm thrilled to announce Twitter is being acquired by Amazon for $82 a share."


No point. All trades made can be reversed especially based on false news


This might be an unpopular opinion. But, I found this pretty funny.


Is this interesting? Not a shit post question - do routine minor security breaches rise to the level of noteworthy these days?


I'd say influential figures (i.e. the CEO of the platform) having their accounts hacked and posting bomb threats is considered noteworthy...


It is karmic justice for yet another company that pushes SMS 2fa as "safe"


If someone got into Zuck's facebook account I'd be interested in knowing.


That was my first thought too -- it seems profound, although it's difficult to articulate why. It's not like high-profile individuals have special security protocols available to them. Just the same password/2FA like the rest of us proles.

On the other hand, it did make me consider that there are some accounts that could be compromised that would be very significant: Trump.


Although technically available to anyone, Google has an "advanced protection program" for highly targeted accounts. It has the follow (may have missed some) effects on your account:

* locked to 2fa with security keys * limiting the set of apps that can access account data * better scrutinized account reset - i assume this means it makes your account more resistant to phishing on Google employee's part.

https://landing.google.com/advancedprotection/

Its nice that Google apparently makes this available to anyone who is willing to buy the security keys. It would be nice if all major social media services had such a program.


Not sure if this falls into the advanced protection for Google, but about a year or two ago, got a notification of a suspicious login from Moscow (I'm from the US and have never travelled out of North America). Promptly changed my password.


Yeah. At this point, any identity provider that doesn't support FIDO u2f is either incompetent or negligent or both.


"there are some accounts that could be compromised that would be very significant"

Trump? I'm not really being facetious when I ask what difference it could possibly make. Of course, sometimes his tweets do appear to move the stock market, but still.


This isn't a "routine minor security breach".


Did all of Twitter get hacked, or did a single user get embarrassed?


It is. The consequences of hacking e.g. @RealDonaldTrump would be disastrous (especially if the adversary is a hostile nation state whose hackers are smart enough to make plausible, but damaging statements).


Would it, in that particular case? Don’t get me wrong, I agree with your general point (imagine a police department account tweeting a photo of someone while accusing them of a crime), but given the Tweets of his that people quote I get the impression that even if Trump’s account posts open declarations of war nobody would do anything?


Agreed. Trump's Twitter account is a bad example of things that people read that might have real world consequences.


https://www.mediaite.com/online/pentagon-reportedly-feared-t...

The official policy of the White House is that the President's tweets from @realDonaldTrump can be statements of the President in his official capacity, and therefore binding to the extent that any Presidential order or command can be. He has fired people, he has announced sweeping policy changes, made nominations, and so on through Twitter, which have then been acted on by the executive branch, Congress (which held appointment hearings for a SecDef before a formal nomination, but after a tweet), and the courts.


Of course that's the nod nod wink wink official policy - how could it be otherwise, and with any other president you would be wise to attach some weight to presidential tweets. But here's the only test you have to make: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first? Because if it's the latter, it doesn't really matter if Trump's account gets hacked.


I just gave examples:

1. of the executive branch by and through the US Department of Defense, among other examples

2. the legislative branch, by and through committee hearings and acceptance as fact of nominations not yet formally made, among other examples

3. and the judicial branch, by and through accepting as fact the arguments of the DOJ through the solicitor general that statements by the President via Twitter are "official statements of the President", among other examples

That's not wink wink, nod nod. That's just fact. The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.


> The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.

Sure, but pretty much everybody in the world accepts as fact that he uses it to issue random nonsense as well. Surely you don't need examples of this.

Which comes back to my question: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first?


He's used to to announce trade sanctions, with the tweets in question literally being cut and pasted together to form the official White house statement a few hours later.


If it's this easy to hack Trump's Twitter account and say things that could trigger war, maybe we need to reconsider allowing elected officials to use social media as their official communications channel. Instead, they should have a government run portal where they relay whatever info they need to.


I think this comment just as far overexaggerated as when you made it one minute earlier.

https://news.ycombinator.com/item?id=20842357


I'd wager that government-run portals might be even easier to hack.

Regardless of that, separating "official communications" from "personal" would be really tricky. Which tweets would come as "the current president" and which as "the candidate up for re-election"?

In addition to that, there are actually separate accounts (official @POTUS / personal @realDonaldTrump) but Trump-the-person has no incentive to ever use the official account (it's not "his") and so all @POTUS account does is just retweet the personal account, sort of defeating the purpose.


look at Equifax for example: huge organization yet undone by very elementary errors


How, precisely, does a 280 character payload trigger war?

Is UTF-8 just so much U-238 in drag?

If someone is starting a war, than any tweet is fungible with another.


What if a world leader said something along the lines of.. "Just ordered a strike xxxcountry. This is war."

That would probably trigger war.


Would it? Is there any country whose leaders are so foppish as to believe what they read on Twitter as though it were some actual diplomatic channel, or even an early warning system?

Color me skeptical, sir.


I'd wager you're correct in your assumption that most decision makers would not be duped by something like that, however a bogus tweet from an official source could be used as plausible cover for leaders who are seeking justification to take actions they wanted to take anyway.

Can you imagine what would have happened if a post-9/11 Iranian leader's account had tweeted "we have successfully acquired nuclear weapons and will be attacking Washington DC and Jerusalem tonight"? Elements within the governments of the USA and Israel have been agitating for war with Iran for decades, and that could give them the cover they need to act on it.


So, if all that's sought is a pretext, why don't state actors just hack accounts and stage pretexts at will?

The elevation of social media to the level of a United Nations general assembly just doesn't seem to pass muster, boss.


Please, and in all honesty and with zero trolling intentions, but please, could someone explain to me why the #NIXXXX hashtag is not banned? To be honest, that's the only thing I care to understand. I would really appreciate if you can educate me. Thank you.


Did he really get hacked or did he just get his phone back from his PR team?


Move along now, nothing to see here, just another user getting their account hacked and forgot to enable 2FA on their account.

On a serious note the people who hacked Jack and several others are called #ChucklingSquad. So actually be cautious of protecting your account.


Many hacks require 2FA.


Just another user? Dont think the CEO of twitter is just another user. Funny he did not do 2FA tho. hah!


Maybe his 2FA was compromised by mobile number transfer (that would be very bad).


This may be the case:

https://www.treyexgaming.com/index.php/2019/08/26/how-the-sa...

These appear to have been done by the same people who compromised Jack




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: