Latest in Entertainment

Image credit: Matt Crossick - PA Images via Getty Images

Twitter CEO Jack Dorsey's account has been compromised, again

It appears hackers are using SMS to send messages from the exec's account.
341 Shares
Share
Tweet
Share
Save

Sponsored Links

Square Co-founder and CEO Jack Dorsey (far left) speaks to Entrepreneurial Refugee Network members (left to right) Muzaffar Sadykov and Naglaa Sadik to discuss how technology is opening up new opportunities for refugees breaking barriers in the UK. (Photo by Matt Crossick/PA Images via Getty Images) Matt Crossick - PA Images via Getty Images

Securing accounts online can be difficult, especially when you've got a lot of legacy access points laying around. Today's example is Twitter CEO Jack Dorsey, whose Twitter account has suddenly been hijacked to send random messages and racial slurs. A quick look at the messages (which are quickly being deleted) identifies their source as Cloudhopper, an SMS service Twitter acquired back in 2010.

While newer users may not remember this period, but there was a time when SMS was the main way to use Twitter, and some have noted that Dorsey was still posting using text messages as recently as this year. Twitter announced that it is aware the account has been compromised and is investigating. I confirmed on my own account that texting 40404 from my registered number still works, and identifies the tweet's source app as Cloudfront. With no option for other protections, tweeting from Dorsey's account (or anyone else's) is just as easy as pulling off the increasingly common SIM hijack to steal their phone number.

This isn't the first time someone's used a backdoor to send messages from Dorsey's account, however. In 2016, the group calling itself "OurMine" hijacked a number of high-profile accounts, including @Jack, and alleged that Vine stored passwords insecurely.

Update: Twitter has confirmed that Dorsey's account is again secure, and without explaining how the exploit worked, said "there is no indication that Twitter's systems have been compromised." That would be consistent with someone swapping the CEO's SIM or somehow spoofing the number, neither of which would require actually compromising Twitter or accessing his account directly.

Update 2 (8:27 PM ET): Twitter explained what happened and it was as I suspected, "The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number." Journalist Brian Krebs recommended using a Google Voice phone number to register online accounts, since that can be secured with 2FA and hardware keys, which mobile carriers don't support.

Twitter

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
341 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Sonos Move review: Versatility doesn't come cheap

Sonos Move review: Versatility doesn't come cheap

View
ZenBook Pro Duo review: ASUS makes a case for dual-screen laptops

ZenBook Pro Duo review: ASUS makes a case for dual-screen laptops

View
Starbucks Japan wants customers to pay for coffee with pens

Starbucks Japan wants customers to pay for coffee with pens

View
Facebook's $149 Portal TV turns your television into a giant smart display

Facebook's $149 Portal TV turns your television into a giant smart display

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr