According to a report in the Dutch publication, Vrij Nederland, three ethical hackers cracked President Trump's Twitter password in 2016. You might be surprised that it would take four years for such a story to come to light, and so dismiss this account out of hand. However, there were, according to the report, rumors circulating in hacker circles that Trump's Twitter account had been hacked back in 2016. Now, three Dutch hackers have come forward and claimed they did it.
Incredibly, they said that the password for Trump's Twitter account was the same as one discovered in a LinkedIn database breach from 2012. More than 117 million account details from that incident were found being sold in dark web forums in 2016, so the dates match in that regard.
Although, as someone who has been involved in cybersecurity across three decades, I'm more than aware of poor password management, it's the password itself that makes me think it both unlikely and, perhaps shockingly, totally feasible at the same time. That password being: yourefired.
Hackers say they cracked Trump’s Twitter password in October 2016
According to the original report, the story starts in October 2016 when the three ethical hackers say they tried to access the @realdonaldtrump Twitter account using a password they had discovered after extracting it from the hash contained in the LinkedIn credentials database. That attempt to access the Twitter account belonging to the then presidential candidate failed, but not in the way expected. Rather than the password being rejected, it was the original email that the hackers had used for verification that was wrong.
Edwin, Mattijs and Victor, who gave the VN interview on condition their last names were not published, explained how Donald Trump's Twitter account was hacked in 2013 following the LinkedIn breach.
Once the LinkedIn credentials database became available to purchase online in 2016, the three set about retrieving passwords from the hashes it contained, using a tool known as John the Ripper. The report stated it took less than a second to extract the password for the [email protected] that was included. One of them immediately tried to use it to access the Twitter account and said it was accepted, but an email address verification failed. From an ethical hacker perspective, this was a big deal as it meant that Trump would seemingly not have changed his Twitter password after the LinkedIn breach, a password that was being reused at least for Twitter. There are two strikes, right there, as anyone familiar with the basics of adequate security would surely have advised Trump against both actions.
It was also a strike for the ethical hackers who had, they claimed, just attempted to login to a presidential candidate's Twitter account, only a couple of weeks ahead of the election, using the correct password and without covering their tracks. The report suggests that no VPN was used, and the attempt was made using the hotel network where they were paying guests. If a state-sponsored hacker, or anyone who had joined the insecurity dots in the same way as out ethical threesome, were to now access that account for malicious purposes, the three would be in some severe trouble indeed.
Accessing Trump’s Twitter account
To have some evidence that they were ethical and non-malicious, they say they were left with no option but to succeed in accessing the account and then do no harm. Having found a [email protected] email address, they tried that as verification: both password and email were now accepted, it is reported.
The account was not accessed, though, as Twitter is said to have noticed the attempt was from Europe when Trump had last logged in from New York. It didn't take long, according to the published report, for the hackers to rectify this by using an open proxy server in New York to provide the correct geography. Third time lucky, they said, and they had accessed Donald Trump's Twitter account. Screenshots were taken and apparently seen by the VN journalist, and a detailed report written up by the three hackers.
Having tried to contact Trump himself, the United States Computer Emergency Readiness Team (CERT) within the Department of Homeland Security, to disclose what they had found, they say there was no response. Until they contacted the National Cyber Security Centrum (NCSC) in the Netherlands, this contact was acknowledged, although no reply was forthcoming. The Dutch report does say that Trump's assistants were soon given responsibility for managing the Twitter account, though.
I have reached out to both Twitter and President Trump's team for further comment or clarification and will update this article should any be forthcoming. In the meantime, please don't reuse passwords across sites and services, whether they have been previously breached or not. Oh, and don't use a word or phrase that is associated with you either. There's plenty of good password hygiene advice out there, I suggest you follow it, whoever you are.