Securing accounts online can be difficult, especially when you've got a lot of legacy access points laying around. Today's example is Twitter CEO Jack Dorsey, whose Twitter account has suddenly been hijacked to send random messages and racial slurs. A quick look at the messages (which are quickly being deleted) identifies their source as Cloudhopper, an SMS service Twitter acquired back in 2010.
While newer users may not remember this period, but there was a time when SMS was the main way to use Twitter, and some have noted that Dorsey was still posting using text messages as recently as this year. Twitter announced that it is aware the account has been compromised and is investigating. I confirmed on my own account that texting 40404 from my registered number still works, and identifies the tweet's source app as Cloudfront. With no option for other protections, tweeting from Dorsey's account (or anyone else's) is just as easy as pulling off the increasingly common SIM hijack to steal their phone number.
This isn't the first time someone's used a backdoor to send messages from Dorsey's account, however. In 2016, the group calling itself "OurMine" hijacked a number of high-profile accounts, including @Jack, and alleged that Vine stored passwords insecurely.
Update: Twitter has confirmed that Dorsey's account is again secure, and without explaining how the exploit worked, said "there is no indication that Twitter's systems have been compromised." That would be consistent with someone swapping the CEO's SIM or somehow spoofing the number, neither of which would require actually compromising Twitter or accessing his account directly.
Update 2 (8:27 PM ET): Twitter explained what happened and it was as I suspected, "The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number." Journalist Brian Krebs recommended using a Google Voice phone number to register online accounts, since that can be secured with 2FA and hardware keys, which mobile carriers don't support.
We're aware that @jack was compromised and investigating what happened.— Twitter Comms (@TwitterComms) August 30, 2019
The account is now secure, and there is no indication that Twitter's systems have been compromised.— Twitter Comms (@TwitterComms) August 30, 2019
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.— Twitter Comms (@TwitterComms) August 31, 2019
Cloudhopper was the name of the company we acquired eons ago to help bolster our SMS service. Apparently we still use the name as the client ID.— Bryan Haggerty (@bhaggs) January 28, 2019