Twitter CEO’s account hacked in SIM-swapping scheme

Hackers briefly took over Twitter CEO Jack Dorsey’s account, tweeting bomb threats and racist posts and served as a reminder of the relative ease of compromising security.

“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter tweeted Friday. “This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.

The company also said “there is no indication that Twitter’s systems have been compromised.”

The takeover seems to be the result of SIM-swapping, according to a BBC report that cited a Twitter official, with the offensive tweets coming from Cloudhopper, a company Twitter bought to support SMS. It also appears to work of the Chuckling Squad, which recently has hacked celebrity Twitter accounts like that of the late YouTube personality @Etika.

This incident is a perfect example of the risks associated with communication – any form of communication – when sender identity is not authenticated,” said Alexander García-Tobar, CEO and co-founder of Valimail. “A hacker or hackers were able to spoof Jack Dorsey’s phone number, convincing the text to tweet 40404 service that it was the mobile number associated with his Twitter account.”

Noting that SIM swap scams have become a much more prominent and dangerous threat over the past year,” Ryan Rowcliffe, lead of solution architecture at SecureAuth, said, “it has been proven to be a shockingly easy way of subverting two-factor authentication by either successfully tricking carrier agents to move a user's phone number to a new SIM card or through bribing one of these agents."

While “the spoofed tweets sent through Dorsey’s account are despicable and offensive, yet far greater damage can be done using similar techniques. We see this play out over and over again with email communication,” said Garcia-Tobar. “A hacker leverages impersonation to send extremely convincing spear phishing emails to a company employee, and in no time, fake invoices are paid, consumers’ data exposed, wire transfers are made to fake companies - the list is endless.”

SIM swap attacks also underscore the folly of “relying solely on two-factor authentication. As consumers we have been accustomed to SMS being treated as two-factor-authentication,” said Rowcliffe. “While this is better than nothing, it has security implications.”

The onus is on carriers, users and the security industry to stop SIM-jacking attacks, he said.

"Since carriers are the real targets in this scenario, they have a responsibility to look for suspicious patterns running through their call centers and customer service organizations in order to find fraudulent activity or reps who have been bribed by cybercriminals," said Rowcliffe. “At the very least, consumers should contact their phone carriers and request for additional security to be applied to their accounts such as not allowing account changes without a verification code delivered over a non-sms channel."

The industry “should be working with phone carriers to find alternative ways to confirm possession of the phone prior to allowing changes to an account of this nature," he added.

García-Tobar said, the focus should be “on validating and authenticating sender identity, no matter the form of communication,” suggesting that organizations enforce DMARC to guard against email spoofing. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.