Twitter points finger at mobile carrier after Dorsey’s account hack

The company started deleting the tweets from his verified Twitter account about 20 minutes after the messages went viral

(FILES) In this file photo taken on November 12, 2018 Twitter CEO and co-founder Jack Dorsey gestures while interacting with students at the Indian Institute of Technology (IIT) in New Delhi on November 12, 2018. A series of erratic and offensive messages appearing on the account of Twitter chief executive Jack Dorsey August 30, 2019 suggest his account had been hacked. The tweets containing racial slurs and suggestions about a bomb showed up around 2000 GMT on the @jack account of the founder of the short messaging service. The company did not immediately respond to an AFP query. / AFP / Prakash SINGH
Powered by automated translation

Twitter blamed chief executive Jack Dorsey’s mobile phone carrier for a hack of his Twitter account that sent out a stream of offensive tweets on Friday.

“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter said in a comment posted by spokesman Brandon Borrman late Friday.

Mr Borrman clarified Saturday that the company isn’t identifying the carrier, and so far none of the four major US mobile providers has admitted responsibility.

The security incident “allowed an unauthorised person to compose and send tweets via text message from the phone number. That issue is now resolved”, according to the Friday statement.

The clarification appears to support speculation that Mr Dorsey was the victim of SIM swapping. That’s when someone convinces a mobile carrier to switch an existing number to a new SIM card they control. In this case, it may have required the hackers to have personal details that would allow them to convincingly impersonate one of Silicon Valley’s best-known figures.

More than 15 tweets, many containing obscenities and racist comments, were posted on Mr Dorsey’s account, @jack, shortly before 4pm New York time on Friday. The company started deleting the tweets from Mr Dorsey’s verified Twitter account, which has more than 4 million followers, about 20 minutes after the messages went viral.

A person familiar with Sprint’s operations said the company checked late Friday and there was no record of an account associated with Mr Dorsey. A spokeswoman for T-Mobile, Tara Darrow, said that “for privacy and security reasons, we would never discuss an individual’s circumstances or if they are a customer”. Verizon and AT&T didn’t respond to queries from Bloomberg News on Saturday asking if they were Mr Dorsey’s provider.

The attack may not have required any in-person communication on the part of the fraudster. A group calling itself the Chuckling Squad claimed credit for the hack.

“You can call in and say, ‘I bought a new phone and I need a new SIM card assigned to this number,’” said Lawrence Pingree, a research vice president at the IT research company Gartner. If the caller provides the correct information, they might succeed, and the problem is made worse because call centers handle a high volume of calls, he said.

Some of the tweets sent from Mr Dorsey’s account used anti-black slurs, praised Adolf Hitler and talked about a bomb at Twitter’s headquarters. Many of them referenced the Chuckling Squad, which also took credit for the hack of several YouTube and Instagram celebrities this month, including James Charles, Shane Dawson, King Bach and Amanda Cerny.

Mr Borrman said he “didn’t have anything to share on that right now” when asked whether the FBI or local law enforcement was investigating Mr Dorsey’s hack.

Sgt Samy Tarazi, of the Santa Clara County Sheriff’s Office, whose agency is part of a five-county cyber task force in the Bay area that’s been focused on SIM swapping for the last 18 months, said swapping represents a massive flaw in mobile security because the phone’s user loses all control of their device; the decision to change out the SIM is left to the mobile carrier. Some victims have been hit multiple times.

Mr Tarazi said in some cases employees of a mobile carrier are paid to swap the cards by the hackers, but in others, the perpetrators are just clever at impersonating the victim. Mr Tarazi said he’s seen the fraud performed successfully by hackers as young as 13 years old.

While the attack on Mr Dorsey’s account didn’t appear to be financially motivated, SIM swapping can be lucrative when used to steal cryptocurrency that’s secured through data or applications linked to a victim’s mobile phone.

Prosecuting SIM swaps is challenging because it’s often difficult to explain the process to a judge or jury that isn’t tech savvy, Mr Tarazi said. In addition, “it’s really trying to explain the seriousness of a 16-year-old working from his bedroom in his parent’s house stealing millions of dollars. It’s hard to wrap your head around”.

After Dorsey’s hack, other Twitter users expressed concern that an even more prominent and prolific user - President Donald Trump - could be just as easily hacked, compromising global political relations. Mr Trump, who regularly uses the service to announce policy decisions, expressed little concern about that scenario.

“Well, I hope they’re not hacking my account, but actually if they do, they’re not going to learn too much more than what I put out, right?” Mr Trump told reporters Friday evening as he left the White House. “Shouldn’t be too bad.”

Twitter declined to comment on the security measures Mr Dorsey uses.

Twitter lets users post tweets by text, and it’s likely the method that was used to post the offensive remarks, which wouldn’t require having Mr Dorsey’s password or directly hacking Twitter’s systems.

The tweets were sent via a service called Cloudhopper that allows tweeting via SMS. Twitter acquired Cloudhopper in 2010.