On Friday afternoon, Jack Dorsey's 4.2 million Twitter followers received an unpleasant surprise. A group of vandals had accessed the account, and used that access to blast a stream of offensive messages and plugs for the group's splitting channel. Within 15 minutes, the account was back under control and the group was banned from Discord, but the incident was a reminder of the serious security issues in even the highest-profile accounts, and how unsafe phone-based authentication has become.
The hackers got in through Twitter's text-to-tweet service, which was operated by the acquired Cloudhopper service. Using Cloudhopper, Twitter users can post tweets at to send text messages to a shortcode number, usually 40404. It's a useful trick for SimplePhones, or if you just don't have access to the Twitter app. The system only requires connecting the phone number to your Twitter account, which most users already do for separate security reasons. As a result, checking your phone number is usually enough to post tweets to your account, and most users have no idea.
As it turns out, gaining control of Dorsey's phone number was not as difficult as you might think. According to a Twitter statement a "security check" by the vendor hackers gained control. Generally speaking, this type of attack is called SIM hacking – essentially to convince a carrier to assign Dorsey numbers to a new phone that they controlled. It is not a new technique, although it is more often used to steal Bitcoin or Instagram handle with high value. Often it's as simple as connecting a nice password. You can protect yourself by adding a PIN to your carrier account or registering web accounts such as Twitter via fake phone numbers, but these techniques may be too much to ask the average user. As a result, switching SIM has become one of the favorite techniques on the web – and as we found out today, it works more often than you'd think.
Chuckling Squad, the crew that took over Dorsey's account, has been playing this trick for years. Their most prominent attack to date has been a stern online influencer with as many as ten different characters being targeted before Dorsey. They seem to have a special trick with AT&T, which is also Dorsey's carrier, although it is unclear exactly how they got control. (AT&T did not respond to a request for comment.)
The history of this type of hack is much older than Chuckling Squad or SIM Swapping. Any system that makes it easier for a user to tweet will also make it easier for a hacker to take control of the account. In 2016, Dorsey was targeted by a similar attack that utilized authorized third-party plugins, which have often been abandoned but still retain the permission to send tweets to the account. This technique has become less prominent as SIM exchange techniques have become more understood, but the basic objectives of driving vandalism have remained largely unchanged.
Still, the incident is embarrassing for Twitter, and not just because of the immediate creep to regain control of the CEO's account. The security world has known about SIM swap attacks for years, and the Dorsey account had been vandalized before. The simple failure to secure control over the CEO's account is a significant failure for the company, with implications far beyond a few minutes of chaos. Hopefully Twitter will learn from the incident and prioritize stronger security – perhaps even moving Twitter confirmation away from SMS – but given the company's track record, I doubt many are holding their breath.