After a number of peculiar tweets appeared on Twitter CEO Jack Dorsey’s account on the service Friday, it was quickly apparent it had been compromised. The hijacker(s) posted racial slurs, anti-semitic remarks and other seemingly random and/or offensive tweets on the @jack page. It took Twitter around 18 minutes to remove the tweets. The company noted around 90 minutes after the intrusion that it had secured the account.
It appears the infiltrators were able to post messages to Dorsey’s account through a fairly old-school (and vulnerable) method of tweeting: text messages. Tweets display the app or method used to post them. For these tweets, it was Cloudhopper, a service Twitter acquired in 2010 to bolster its SMS functionality.
If you send a text message to 40404 using the phone number linked to your Twitter account, the SMS will be posted as a tweet. Cloudhopper will appear as the source on said tweet.
Twitter suggested Dorsey’s cell carrier was at fault. “The phone number associated with the account was compromised due to a security oversight by the mobile provider,” it wrote in a statement.
It’s not the first time that @jack has been compromised. Security company OurMine posted a tweet from Dorsey’s account in 2016, suggesting that it was “testing your security.” The firm also accessed the accounts of Mark Zuckerberg and Sundar Pichai, the CEOs of Facebook and Google.