Twitter Inc. blamed Chief Executive Officer Jack Dorsey’s mobile phone carrier for a hack of his Twitter account that sent out a stream of offensive tweets on Friday.
“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter said in a comment posted by spokesman Brandon Borrman late Friday.
Borrman clarified Saturday that the company isn’t identifying the carrier, and so far none of the four major U.S. mobile providers has admitted responsibility.
The security incident “allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved,” according to the Friday statement.
The clarification appears to support speculation that Dorsey was the victim of SIM swapping. That’s when someone convinces a mobile carrier to switch an existing number to a new SIM card they control. In this case, it may have required the hackers to have personal details that would allow them to convincingly impersonate one of Silicon Valley’s best-known figures.
More than 15 tweets, many containing obscenities and racist comments, were posted on Dorsey’s account, @jack, shortly before 4 p.m. New York time on Friday. The company started deleting the tweets from Dorsey’s verified Twitter account, which has more than 4 million followers, about 20 minutes after the messages went viral.
A person familiar with Sprint’s operations said the company checked late Friday and there was no record of an account associated with Dorsey. A spokeswoman for T-Mobile, Tara Darrow, said that “for privacy and security reasons, we would never discuss an individual’s circumstances or if they are a customer.” Verizon Communications Inc. and AT&T Inc. didn’t respond to queries from Bloomberg News on Saturday asking if they were Dorsey’s provider.
The attack may not have required any in-person communication on the part of the fraudster. A group calling itself the Chuckling Squad claimed credit for the hack.
“You can call in and say, ‘I bought a new phone and I need a new SIM card assigned to this number,’” said Lawrence Pingree, a research vice president at the IT research company Gartner Inc. If the caller provides the correct information, they might succeed, and the problem is made worse because call centers handle a high volume of calls, he said.
Some of the tweets sent from Dorsey’s account used anti-black slurs, praised Adolf Hitler and talked about a bomb at Twitter’s headquarters. Many of them referenced the Chuckling Squad, which also took credit for the hack of several YouTube and Instagram celebrities this month, including James Charles, Shane Dawson, King Bach and Amanda Cerny.
Borrman said he “didn’t have anything to share on that right now” when asked whether the FBI or local law enforcement was investigating Dorsey’s hack.
Sgt. Samy Tarazi, of the Santa Clara County Sheriff’s Office, whose agency is part of a five-county cyber task force in the Bay area that’s been focused on SIM swapping for the last 18 months, said swapping represents a massive flaw in mobile security because the phone’s user loses all control of their device; the decision to change out the SIM is left to the mobile carrier. Some victims have been hit multiple times.
Tarazi said in some cases employees of a mobile carrier are paid to swap the cards by the hackers, but in others, the perpetrators are just clever at impersonating the victim. Tarazi said he’s seen the fraud performed successfully by hackers as young as 13 years old.
While the attack on Dorsey’s account didn’t appear to be financially motivated, SIM swapping can be lucrative when used to steal cryptocurrency that’s secured through data or applications linked to a victim’s mobile phone.
Prosecuting SIM swaps is challenging because it’s often difficult to explain the process to a judge or jury that isn’t tech savvy, Tarazi said. In addition, “it’s really trying to explain the seriousness of a 16-year-old working from his bedroom in his parent’s house stealing millions of dollars. It’s hard to wrap your head around.”
After Dorsey’s hack, other Twitter users expressed concern that an even more prominent and prolific user — President Donald Trump — could be just as easily hacked, compromising global political relations. Trump, who regularly uses the service to announce policy decisions, expressed little concern about that scenario.
“Well, I hope they’re not hacking my account, but actually if they do, they’re not going to learn too much more than what I put out, right?” Trump told reporters Friday evening as he left the White House. “Shouldn’t be too bad.”
Twitter declined to comment on the security measures Dorsey uses. His account was hacked in 2016 through a connection to his Vine account, so he probably uses more security around the account than most users.
Twitter lets users post tweets by text, and it’s likely the method that was used to post the offensive remarks, which wouldn’t require having Dorsey’s password or directly hacking Twitter’s systems.
The tweets were sent via a service called Cloudhopper that allows tweeting via SMS. Twitter acquired Cloudhopper in 2010.