Dutch Ethical Hacker Logs into Trump’s Twitter Account
Last week a Dutch security researcher succeeded in logging into the Twitter account of the American President Donald Trump. Trump, an active Twitterer with 87 million followers, had an extremely weak and easy to guess password and had according to the researcher, not applied two-step verification.
The researcher, Victor Gevers, had access to Trump’s personal messages, could post tweets in his name and change his profile. Gevers took screenshots when he had access to Trump’s account. These screenshots were shared with de Volkskrant by the monthly opinion magazine Vrij Nederland. Dutch security experts find Gevers’ claim credible.
The Dutchman alerted Trump and American government services to the security leak. After a few days, he was contacted by the American Secret Service in the Netherlands. This agency is also responsible for the security of the American President and took the report seriously, as evidenced by correspondence seen by de Volkskrant. Meanwhile Trump’s account has been made more secure.
This is not the first time that Dutch hackers succeeded in taking over Donald Trump’s Twitter account. The first time was four years ago, just before the 2016 elections, when three hackers jointly managed to retrieve Trump’s password and access his account. That someone has now succeeded again, is remarkable. During the previous presidential elections Russian hackers attempted to influence the elections on a large scale. Subsequently, social media have taken various steps to prevent manipulation.
Today as well, barely three weeks before the presidential elections, attempts are being made from Russia and Iran to digitally influence the elections. Obviously, the President’s Twitter account is a target too. Twitter declines to respond on the record, stating that they never comment on security measures for individual accounts. Ronald Prins, founder of security company Hunt & Hackett and one of the best-known Dutch security experts, says: ‘I’ve known Victor Gevers for quite a few years. He has a reputation of devoting his life to finding vulnerabilities and always adopts a very ethical attitude in doing so. On the basis of what I know and have seen, his claim seems credible.’
Victor Gevers was also one of the three hackers who logged into Trump’s account in 2016. ‘That we would succeed in doing it again so soon, was not planned’, he says about the buildup to the action. The reason for making another attempt to hack Trump’s account was the reporting in the US about Hunter Biden. A hard disk owned by presidential candidate Joe Biden’s son was supposedly stolen or hacked – also because Hunter Biden used an easy to guess password (Hunter02). Gevers is familiar with leaked databases of old passwords and searched these for Hunter Biden’s data. After analysing these old databases, he felt that the information was incorrect. Hunter Biden used other passwords. Gevers: ‘I could tell that it wasn’t his password.’
It gives him the idea to check how good the security of verified Twitter accounts actually is. He looks at the account of Susan Rice, the former US national security adviser, and at that of Joe Biden. And also takes a look at Donald Trump, while he’s at it. ‘Doing spot checks, that’s my work: look for any leaks in security.’
Earlier discoveries by Gevers include an enormous Chinese database with the location data of 2.7 million inhabitants of Xinjang – China’s largest province and home to the Uyghurs. The poorly secured database contained all kinds of personal data: people’s ID number, nationality, phone number, date of birth, photos, employer, but also GPS coordinates of the places these individuals had visited. The existence of this database made it even clearer how meticulously China is monitoring the Uyghur minority in the country.
On Friday morning, almost absentmindedly, Gevers tries a number of passwords and their variations. On the fifth attempt: bingo! He tries ‘maga2020!’ (short for make America great again) and suddenly finds himself in the Twitter account of the American President. He is flabbergasted. Gevers: ‘I expected to be blocked after four failed attempts. Or at least would be asked to provide additional information.’ None of that.
On that Friday morning, Gevers has access to what is perhaps the most important Twitter account in the world and is in a position to send a message to 87 million people, the attentive world press, and government leaders. Gevers: ‘I did think: “Here we go again”.’
After all, hacking an account is illegal. If Gevers wants to make it clear that he is acting with good intentions, he will have to proceed responsibly and document his steps. He takes screenshots. Then he sends an email to Donald Trump – ‘I still had an old email account of his’ – and sends a copy to the American organisation for digital security. He kindly advises Trump to take extra security measures. And perhaps use a somewhat longer password. Gevers even suggests one: !IWillMakeAmericaGreatAgain2020!, and adds instructions for activating two-step verification. ‘But I didn’t get a reply.’
So, he tries to warn others. Trump’s campaign team, his family. He sends messages via Twitter asking if someone will call Trump’s attention to the fact that his Twitter account is not safe. He tags the CIA, the White House, the FBI, Twitter themselves. No response.
Gevers: ‘Then on Saturday, I suddenly saw that two-step verification for the account had been activated.’ Two days later, in the evening, he receives an email from the American Secret Service. ‘Friendly. They were interested in my information. I forwarded everything to them.’ On Tuesday they speak digitally. They thank Gevers, telling him that they were unaware of the security leak. This still leaves the security researcher with a number of questions: ‘Why is it possible for someone from a different time zone to log into such an important account? Why doesn’t Twitter demand better passwords? If I can access his account, then foreign nations can do so as well, right? Why aren’t the persons who are supposed to protect the President informed when someone reports that his account is unsafe?’
Matthijs Koot, security researcher at Secura, is also astonished at how easy it was for Gevers to take over Trump’s account. ‘To put it harshly: people who in the year 2020 still ignore basic advice on online security are a potential danger to themselves and to those around them.’
According to Koot, these risks also affect others. ‘Today, we are increasingly interconnected, which means that a hack of one individual’s account or computer may also undermine the privacy and security of others. After all, via Trump’s account you can also see private messages sent to him or refer others to links containing malware or to a fake login page.’ This raises the question of how responsible Twitter is when it comes to additional security measures. Koot: ‘They should either compel people to use additional authentication or, if people really don’t want this, make them use a complex password. The days of logging in with just a weak password are over.’
Twitter declines to respond to questions. The question remains why Trump was using such a weak and simple password. Gevers has a possible explanation: ‘Trump is over 70 – elderly people often switch off two-step verification because they find it too complicated. My own mother, for instance. For younger generations digital security is more self-evident.’