Did a Security Researcher Really Access Trump’s Twitter Account?

Dutch ethical hacker Victor Gevers claims to have gained access to Trump’s Twitter account after successfully guessing the password. Twitter says it has no evidence the account break-in actually occurred, though.

By Michael Kan

The security around President Trump’s Twitter account is grabbing headlines after a Dutch ethical hacker claims to have successfully broken in by using the password “maga2020!”

But both Twitter and the White House are casting doubt on the story, making it unclear if Trump’s account was truly secured with only a weak password.

The alleged break-in was done by Victor Gevers, a security researcher who’s uncovered vulnerabilities and unsecured databases before. He told Dutch newspaper De Volkskrant that he logged into the president’s account last Friday in order to test whether it was secure. And according to him, it wasn’t.

On his fifth attempt, he managed to break in by trying the combination “maga2020!” a reference to the “Make America Great Again” slogan Trump has been using on the campaign trail.

“I expected to be blocked after four failed attempts. Or at least would be asked to provide additional information,” Gevers told the publication. But he encountered no two-factor authentication in place or any other safeguards to check his identity.

Twitter is dismissing the report. “We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,” a company spokesperson said.

Indeed, Twitter should have logs capable of showing which devices and IP addresses have been connecting to the president’s account. However, the company’s statement indicates no suspicious activity was uncovered.

Twitter added: “We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”

A White House spokesperson also told The Independent that Gever’s accusations about the hijacking are “absolutely not true.”

Gevers claims to have taken screenshots of the account access, though. One screenshot was shared with TechCrunch; it shows Gevers with the apparent capability to edit Trump’s profile page on Twitter.

Gevers attempted to contact Trump and his digital security team about securing the Twitter account with at least a stronger password. But he received no response. Gevers then proceeded to send tweets and messages across Twitter warning the Trump administration, the CIA, the FBI, and Twitter about the weak password.

A day later, on Saturday, Gevers noticed two-factor authentication was turned on for the president’s account. The US Secret Service in the Netherlands also contacted Gevers about the incident, according to De Volkskrant.

Presumably, the alleged weak password on Trump’s account has been changed as well. The US Secret Service declined to comment on Gevers’ claims, and told PCMag to contact the White House for a response.

Gevers didn’t immediately respond to a request for comment. But a few security researchers are speculating Twitter may have temporarily lowered security on Trump’s account after the president caught COVID-19, which would have enabled Gevers access with only a password.

“The plausible bit to me is the notion that MFA (multi-factor authentication) was likely disabled on his account when he went to the hospital for COVID, so that others could tweet for him,” said Katie Moussouris, CEO of Luta Security in a tweet.

“Could his password also have been changed to a simpler one, especially to share with staff during that period? Could be,” she added in her tweet.

Computer science lecturer and security expert Nicholas Weaver said he’s doubtful the hack actually occurred. “For this story to be true it isn’t just a failing for Trump, it would mean a gross failing on the part of both Twitter and White House IT staff,” he said in a tweet.

It isn’t the first time Gevers has tried to hack Trump’s account to test its security. In 2016, he and two other Dutch hackers claim to have also broken into Trump’s Twitter account by using the password “yourefired.”

Originally published at https://www.pcmag.com.