Dutch ethical hacker Victor Gevers claims it only took five attempts to guess the [password to President Donald Trump’s Twitter account](<https://www.volkskrant.nl/nieuws-achtergrond/dutch-ethical-hacker-logs-into-trump-s-twitter-account~badaa815/?referrer=https%3A%2F%2Ft.co%2F>) — “maga2020!”.
That’s all he needed to hijack the @realdonaldtrump handle, according a report from Dutch newspaper de Volksrant, because it lacked even the most basic two-factor authentication (2FA), exposing major flaws in the digital security surrounding the President.
While Threatpost has not been able to independently verify the veracity of Gevers’ claim of the Oct. 16 hack of Trump’s Twitter, several professionals have analyzed screenshots and [vouch for their authenticity](<https://www.vn.nl/trump-twitter-hacked-again/>), according to Dutch magazine Vrij Nederland, which added that Gevers works for the Dutch government by day and runs the [ethical hacking GDI Foundation](<https://gdi.foundation/#/>) in his spare time — and so is well regarded within the country’s security community.
## **Twitter Safety & 2FA**
Twitter, however, said it is dubious about the report.
“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,” a Twitter spokesperson said in a statement responding to Threatpost’s inquiries. “We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”
An announcement on Sept. 17 from Twitter Safety said the company was sending in-app notifications “requiring” or “strongly recommending” [enhanced security measures](<https://blog.twitter.com/en_us/topics/company/2020/Improved-Account-Security-2020-US-Election.html>), including a requirement for a strong password, to members of government and journalists in the run-up to the election.
The policy goes on to “strongly encourage” these accounts [enable 2FA](<https://threatpost.com/threatpost-poll-can-we-fix-2fa/140836/>) but does not say it’s a requirement.
[2FA requires users](<https://threatpost.com/ring-mandates-2fa-hacks/152971/#:~:text=%E2%80%9CThis%20added%20authentication%20helps%20prevent,note%20to%20customers%20posted%20Tuesday.>) have a one-time generated code, sent by email or text, which needs to be entered to login. This keeps bad actors from accessing the account even if they have the username and password.
## **Duty to Report **
Gevers said that after he successfully hacked the president’s Twitter account he went to great lengths to report the vulnerability, sending emails, screenshots and social-media messages to various U.S. government entities through Twitter, Parler and other platforms, de Volkskrant reported. Days later, he found the 2FA to be in place and two days after that, he received a friendly email from the Secret Service thanking him.
While that didn’t do much to explain how it came to be that Trump didn’t have basic protections on his Twitter account, Gevers speculated to de Volkskrant that it has something to do with his age, adding, “…elderly people often switch off two-step verification because they find it too complicated.”
This isn’t the first time Gevers was reportedly able to commandeer the infamous Twitter handle. In 2016, he was part of a group of self-described “grumpy old hackers” who [accessed Trump’s Twitter account](<https://www.vn.nl/trump-twitter-hacked-again/>) by guessing the password “yourefired,” Vrij Nederland reported. The group tried to alert team Trump that, “he had his digital fly open,” with no response at the time, Vrij Nederland added.
Gevers told de Volkskrant that it was recent headlines about presidential candidate Joe Biden’s son, Hunter Biden being hacked that inspired him to start spot-checking accounts for U.S. political figures.
“Doing spot checks, that’s my work: Look for any leaks in security,” he said. When he got to Trump’s account, he tried a few variations, expecting to get locked out after the fourth failed attempt, instead he hit the jackpot on try number five, according to de Volkskrant.
Gever’s reaction, according to Vrij Nederland? “Not again!”
## **Election & Data Security **
This report comes at a time when U.S. law-enforcement officials warn Russia and Iran are actively engaging in election interference through [hacked voter-registration information](<https://abcnews.go.com/Politics/fbi-russia-iran-obtained-voter-data-election-interference/story?id=73750385>).
Cybercriminals are “going after the minds of the American people and their trust in the democratic institutions that we use to select our leaders, “Matt Olney, director of Talos’ Threat Intelligence and Interdiction at Cisco [told Threatpost](<https://threatpost.com/cybercriminals-step-up-game-us-elections/160373/>) this week.
The good news is that the public is getting smarter about information security.
“Everybody has a role in election security,” Olney explained. “And that includes the election community who have gone at that problem aggressively over the last four years; [and] the public, which has largely adopted a more skeptical eye towards information as it comes out, for better or worse.”
The question is whether our most high-profile leaders will follow suit.
“But politicians also have a role, and they have to ensure that they are not handing victories to our adversaries,” Olney said.
{"id": "THREATPOST:227EF53DD3E1B5C218725653C74CCAC9", "type": "threatpost", "bulletinFamily": "info", "title": "Researcher: I Hacked Trump\u2019s Twitter by Guessing Password", "description": "Dutch ethical hacker Victor Gevers claims it only took five attempts to guess the [password to President Donald Trump\u2019s Twitter account](<https://www.volkskrant.nl/nieuws-achtergrond/dutch-ethical-hacker-logs-into-trump-s-twitter-account~badaa815/?referrer=https%3A%2F%2Ft.co%2F>) \u2014 \u201cmaga2020!\u201d.\n\nThat\u2019s all he needed to hijack the @realdonaldtrump handle, according a report from Dutch newspaper de Volksrant, because it lacked even the most basic two-factor authentication (2FA), exposing major flaws in the digital security surrounding the President.\n\nWhile Threatpost has not been able to independently verify the veracity of Gevers\u2019 claim of the Oct. 16 hack of Trump\u2019s Twitter, several professionals have analyzed screenshots and [vouch for their authenticity](<https://www.vn.nl/trump-twitter-hacked-again/>), according to Dutch magazine Vrij Nederland, which added that Gevers works for the Dutch government by day and runs the [ethical hacking GDI Foundation](<https://gdi.foundation/#/>) in his spare time \u2014 and so is well regarded within the country\u2019s security community.\n\n## **Twitter Safety & 2FA**\n\nTwitter, however, said it is dubious about the report.\n\n\u201cWe\u2019ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,\u201d a Twitter spokesperson said in a statement responding to Threatpost\u2019s inquiries. \u201cWe proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.\u201d\n\nAn announcement on Sept. 17 from Twitter Safety said the company was sending in-app notifications \u201crequiring\u201d or \u201cstrongly recommending\u201d [enhanced security measures](<https://blog.twitter.com/en_us/topics/company/2020/Improved-Account-Security-2020-US-Election.html>), including a requirement for a strong password, to members of government and journalists in the run-up to the election.\n\nThe policy goes on to \u201cstrongly encourage\u201d these accounts [enable 2FA](<https://threatpost.com/threatpost-poll-can-we-fix-2fa/140836/>) but does not say it\u2019s a requirement.\n\n[2FA requires users](<https://threatpost.com/ring-mandates-2fa-hacks/152971/#:~:text=%E2%80%9CThis%20added%20authentication%20helps%20prevent,note%20to%20customers%20posted%20Tuesday.>) have a one-time generated code, sent by email or text, which needs to be entered to login. This keeps bad actors from accessing the account even if they have the username and password.\n\n## **Duty to Report **\n\nGevers said that after he successfully hacked the president\u2019s Twitter account he went to great lengths to report the vulnerability, sending emails, screenshots and social-media messages to various U.S. government entities through Twitter, Parler and other platforms, de Volkskrant reported. Days later, he found the 2FA to be in place and two days after that, he received a friendly email from the Secret Service thanking him.\n\nWhile that didn\u2019t do much to explain how it came to be that Trump didn\u2019t have basic protections on his Twitter account, Gevers speculated to de Volkskrant that it has something to do with his age, adding, \u201c\u2026elderly people often switch off two-step verification because they find it too complicated.\u201d\n\nThis isn\u2019t the first time Gevers was reportedly able to commandeer the infamous Twitter handle. In 2016, he was part of a group of self-described \u201cgrumpy old hackers\u201d who [accessed Trump\u2019s Twitter account](<https://www.vn.nl/trump-twitter-hacked-again/>) by guessing the password \u201cyourefired,\u201d Vrij Nederland reported. The group tried to alert team Trump that, \u201che had his digital fly open,\u201d with no response at the time, Vrij Nederland added.\n\nGevers told de Volkskrant that it was recent headlines about presidential candidate Joe Biden\u2019s son, Hunter Biden being hacked that inspired him to start spot-checking accounts for U.S. political figures.\n\n\u201cDoing spot checks, that\u2019s my work: Look for any leaks in security,\u201d he said. When he got to Trump\u2019s account, he tried a few variations, expecting to get locked out after the fourth failed attempt, instead he hit the jackpot on try number five, according to de Volkskrant.\n\nGever\u2019s reaction, according to Vrij Nederland? \u201cNot again!\u201d\n\n## **Election & Data Security **\n\nThis report comes at a time when U.S. law-enforcement officials warn Russia and Iran are actively engaging in election interference through [hacked voter-registration information](<https://abcnews.go.com/Politics/fbi-russia-iran-obtained-voter-data-election-interference/story?id=73750385>).\n\nCybercriminals are \u201cgoing after the minds of the American people and their trust in the democratic institutions that we use to select our leaders, \u201cMatt Olney, director of Talos\u2019 Threat Intelligence and Interdiction at Cisco [told Threatpost](<https://threatpost.com/cybercriminals-step-up-game-us-elections/160373/>) this week.\n\nThe good news is that the public is getting smarter about information security.\n\n\u201cEverybody has a role in election security,\u201d Olney explained. \u201cAnd that includes the election community who have gone at that problem aggressively over the last four years; [and] the public, which has largely adopted a more skeptical eye towards information as it comes out, for better or worse.\u201d\n\nThe question is whether our most high-profile leaders will follow suit.\n\n\u201cBut politicians also have a role, and they have to ensure that they are not handing victories to our adversaries,\u201d Olney said.\n", "published": "2020-10-22T18:45:54", "modified": "2020-10-22T18:45:54", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/researcher-hacked-trumps-twitter-password/160473/", "reporter": "Becky Bracken", "references": ["https://www.volkskrant.nl/nieuws-achtergrond/dutch-ethical-hacker-logs-into-trump-s-twitter-account~badaa815/?referrer=https%3A%2F%2Ft.co%2F", "https://www.vn.nl/trump-twitter-hacked-again/", "https://gdi.foundation/#/", "https://blog.twitter.com/en_us/topics/company/2020/Improved-Account-Security-2020-US-Election.html", "https://threatpost.com/threatpost-poll-can-we-fix-2fa/140836/", "https://threatpost.com/ring-mandates-2fa-hacks/152971/#:~:text=%E2%80%9CThis%20added%20authentication%20helps%20prevent,note%20to%20customers%20posted%20Tuesday.", "https://www.vn.nl/trump-twitter-hacked-again/", "https://abcnews.go.com/Politics/fbi-russia-iran-obtained-voter-data-election-interference/story?id=73750385", "https://threatpost.com/cybercriminals-step-up-game-us-elections/160373/"], "cvelist": [], "lastseen": "2020-10-22T18:56:58", "viewCount": 47, "enchantments": {"dependencies": {"references": []}, "score": {"value": 1.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "nessus", "idList": ["FREEBSD_PKG_810DF820366411E18FE300215C6A37BB.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366"]}]}, "exploitation": null, "vulnersScore": 1.0}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}