Twitter CEO Jack Dorsey is having a bad day, with hackers taking over control of his account and using it to tweet out racism and profanity. A group referring to itself as the “Chuckle Gang” apparently broke into the @jack account, and then proceeded to send out racism and retweet other users to the chief executive’s 4.2 million followers.
It’s an embarrassing security lapse for one of Twittter’s highest-profile users. Multiple messages were sent out using the account, though many were subsequently deleted as the hackers retained control.
The hack started on Friday afternoon, with rogue tweets being posted to the account. Among the profanity, the hackers included links to a Discord server which has since been deactivated. Several tweets claimed the attack was the work of the so-called “Chuckle Gang.”
Adding to the complexity, the fact that the hackers discussed a bomb threat at Twitter headquarters could end up escalating the incident to a felony. By 1:08pm PST, meanwhile, all of the rogue tweets were removed from Dorsey’s page. It’s unclear at time of publication as to whether that means the rightful owner of the account has retaken control.
It’s a reminder that everybody – whether they’re the CEO of Twitter or otherwise – should be taking every possible precaution when it comes to account security. Twitter offers 2-factor authentication, for example, which it refers to as login verification. That’s described as “an extra layer of security for your Twitter account.”
After it’s enabled, users need both their password and a second layer of authentication to access their account. That second layer can either be through receiving an SMS text message, or by using a third party app or security key for the verification.
Two-factor authentication isn’t turned on by default, however, though the advice is that all users of the site should enable it. There are also concerns more broadly about the security of SMS-based 2FA. It seems unlikely that Dorsey didn’t have the extra level of security active on his account, but it’s unclear how exactly the hackers gained access to it.
In a statement on the Twitter Communications account, the company acknowledged the hack. “We’re aware that @jack was compromised and investigating what happened” the tweet confirmed.
Update: The tweets made to Dorsey’s account were listed as being posted by Cloudhopper, a company Twitter acquired back in 2010. It allowed tweets to be posted via SMS. One possibility is that, rather than breaking through whatever security Dorsey has active, the exploit took advantage of an old Twitter service still tied to the @Jack account.
You can check which services are connected to your Twitter by going to the Settings tab, choosing the Account tab, and then Apps and Sessions. It’s a good idea to remove any connections that you no longer use.