ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Security & Privacy

Hi Jack - Dorsey's Twitter account breached

Paul Brislen, Editor. 02 September 2019, 7:13 am

Twitter founder Jack Dorsey's Twitter account was hijacked over the weekend despite having two-factor authentication (2FA) turned on. 

While information about the 30-minute long hijacking is somewhat scarce, it would appear the hackers gained access via Twitter's "text to tweet" service that allows users to tweet by sending a text message to a short code. The hack appears to have been of Dorsey's phone number, not of the account itself - a "SIM swapping" attack that has been popular in the past, although typically targeting Bitcoin miners.

By targeting the phone number itself any 2FA code sent to the new phone gives that user control of the account - something that Twitter has been warned about for many years. The company responsible for the text to tweet service is directly owned by Twitter, which might explain the social media company's reluctance to move away from using cellphones as a 2FA agent.

This isn't the first time Dorsey's account has been hacked. In 2016 a group known as OurMine briefly took control of the CEO's account, although Twitter gave little detail as to how that occurred.

Account holders are well advised to use a third-party 2FA authenticator rather than a text message delivered service for their security needds.


Comments

You must be logged in in order to post comments. Log In


Web Development by The Logic Studio