Friday afternoon, Jack Dorsey’s 4.2 million Twitter followers got an unpleasant surprise. A group of vandals had gained access to the account, and used that access to blast out a stream of offensive messages and plugs for their group’s discord channel. Within 15 minutes, the account was back under control and the group was banned from Discord, but the incident was a reminder of the serious vulnerabilities in even the highest-profile accounts, and just how insecure phone-based authentication has become.
The hackers got in through Twitter’s text-to-tweet service, operated by the acquired service Cloudhopper. Using Cloudhopper, Twitter users can post tweets by texting messages to a shortcode number, usually 40404. It’s a useful trick for SimplePhones or if you just don’t have access to the Twitter app. The system only requires linking your phone number to your Twitter account, which most users already do for separate security reasons. As a result, control of your phone number is usually enough to post tweets to your account, and most users have no idea.
A “security oversight” by the provider let the hackers gain control
As it turns out, getting control of Dorsey’s phone number wasn’t as hard as you might think. According to a Twitter statement, a “security oversight” by the provider let the hackers gain control. In general terms, this kind of attack is called SIM hacking — essentially convincing a carrier to assigning Dorsey’s number to a new phone that they controlled. It’s not a new technique, although it’s more often used to steal Bitcoin or high-value Instagram handles. Often, it’s as simple as plugging in a leaked password. You can protect yourself by adding a PIN code to your carrier account or registering web accounts like Twitter through dummy phone numbers, but those techniques can be too much to ask for the average user. As a result, SIM swapping has become one of online troublemakers’ favorite techniques — and as we found out today, it works more often than you’d think.
Chuckling Squad, the crew that took over Dorsey’s account, has been playing this trick for years. Their most prominent attacks up to this point have been a string of online influencers with as many as ten different figures were targeted before Dorsey. They seem to have a particular trick with AT&T, which is also Dorsey’s carrier, although it’s unclear exactly how they gained control. (AT&T did not respond to a request for comment.)
The history of this kind of hack is much older than Chuckling Squad or even SIM Swapping. Any system that makes it easier for a user to tweet will also make it easier for a hacker to take control of the account. In 2016, Dorsey was targeted by a similar attack that took advantage of authorized third party plugins, which have often been abandoned but still retain the permission to send tweets to the account. That technique has grown less prominent as SIM swapping techniques have become more broadly understood, but the basic goals of drive-by vandalism have remained largely unchanged.
Still, the incident is embarrassing for Twitter, and not simply because of the immediate scramble to regain control of the CEO’s account. The security world has known about SIM swapping attacks for years, and Dorsey’s account had been vandalized before. The simple failure to secure control of the CEO’s account is a significant failure for the company, with implications far beyond a few minutes of chaos. Hopefully, Twitter will learn from the incident and prioritize stronger security — maybe even shifting Twitter verification away from SMS — but given the company’s track record, I doubt many people are holding their breath.