Twitter CEO Jack Dorsey’s Twitter account was hacked on Friday afternoon by a group that calls itself the Chuckle Squad. The hackers tweeted racial slurs, antisemitic messages and at least one Holocaust denial from Dorsey’s account. Some offensive tweets were up for about 10 minutes, though not long after the hack began, those tweets were already being deleted, and they’re all gone now.
We're aware that @jack was compromised and investigating what happened.— Twitter Comms (@TwitterComms) August 30, 2019
Roughly an hour and a half after the hack, Twitter tweeted that “the account is now secure, and there is no indication that Twitter’s systems have been compromised.”
Later, Twitter pointed the blame at Dorsey’s cell carrier, saying that “the phone number associated with the account was compromised due to security oversight by the mobile provider,” which apparently allowed the hackers to send the tweets using text messages.
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.— Twitter Comms (@TwitterComms) August 31, 2019
The tweets appear to have come via Cloudhopper, a company that Twitter previously acquired to help with its SMS service. If you text 404-04 from the phone number linked to your Twitter account, that text will post to Twitter. The source in the tweet will be given as “Cloudhopper.”
.@Jack’s account has been hacked.— Sam (@Hooray) August 30, 2019
The Tweets are coming from a source called Cloudhopper. Cloudhopper was the name of the company Twitter acquired a long time ago to help bolster their SMS service.
Looks like the hackers are Tweeting via the old SMS service... pic.twitter.com/YcU3DTn9wS
Today’s hack appears to be from the same group that attacked a number of YouTube celebrities last week on Twitter, including beauty vlogger James Charles, Shane Dawson, and comedian King Bach. The hackers also allegedly gained access to the late Desmond “Etika” Amofah’s Gmail account, as seen by screenshots collected in their Discord server. At the time, many of the people who’d been affected suggested their accounts were breached following a SIM card swap conducted by AT&T employees.
“We are working with law enforcement, have restored the customers’ service, and discussed ways to secure the account,” an AT&T spokesperson told The Verge after the previous Chuckle Squad attacks. AT&T has not responded to a request for comment today.
Other attacks that occurred on Twitter also resemble Chuckle Squad’s tactics. Riverdale’s Cole Sprouse also blamed a hack on his Twitter account on his “cell service provider.” It’s not clear if that was the same group.
In addition to some ugly tweets, today’s hackers plugged a Discord server, asking people to join it. (The server invitation link tweeted out by the hackers no longer works.) “Both the server and the server owner were permanently removed from Discord within minutes of this being reported to us,” a Discord representative told The Verge.
“Encouraging any kind of hacking is in direct violation of our Terms of Service,” the representative said. “We will continue to monitor and investigate this incident.”
Dorsey’s account has been hacked before. In 2016, the security firm OurMine hacked @Jack to send out a message about “testing your security.” The tweet also had a video and a link to OurMine’s website. (OurMine also hacked other CEOs, such as Facebook’s Mark Zuckerberg and Google’s Sundar Pichai.)
The Verge has reached out to Twitter for more information about the specifics of the attack, and it will update if more information becomes available.
Update, 8:27PM ET: Added Twitter’s explanation that a cell carrier vulnerability allowed the hackers to send tweets via text message, and that’s how they were added to Dorsey’s account.