When Dutch ethical hacker Victor Gevers tried to alert the US Secret Service that he was able to guess the password to President Donald Trump’s Twitter handle last Oct., there were plenty of sceptics, most notably at the White House.
Now, Dutch prosecutors have determined Gevers did, in fact, guess the password to the world’s most powerful Twitter account, but said that he will not be charged with a crime because he was acting ‘honourably’ to track down vulnerabilities associated with high-profile accounts.
So, no charges for Dutch ethical hacker Victor Gevers who prosecutors say did actually access Trump’s Twitter account by guessing his password, “MAGA2020!” last Oct. Let us hope the outgoing President has now changed it!
Ethical Hacker Vindicated
“This is not just about my work but all volunteers who look for vulnerabilities on the internet,” Gevers told the BBC. Gevers is a respected cyber-researcher who works for the Dutch Govt. by day and in his spare time runs the ethical hacking non-profit GDI Foundation.
Gevers explained last Autumn he was performing a random check of high-profile Twitter accounts. It only took him five guesses to come up with the right one for @realdonaldtrump, “MAGA2020!” He observed that beyond the incredibly weak password, 2-factor authentication (2FA) had not been enabled on the account.
2FA generates a unique code, sent by email or text to a known device, which must be entered to log in. After Gevers reported this issue to the US Secret Service & other agencies, including to the White House directly, he received no response, but noticed the account was secured with 2FA 2 days later.
When logged in, Gevers was able to access Trump’s private messages, photos, bookmarks, & a list of accounts he had blocked.
At the time, Gevers speculated Trump did not have basic protections in place because they are a hassle, adding, “…elderly people often switch off 2-step verification because they find it ‘too complicated’.”
Dutch Prosecutors Defend Hack
After an investigation, Dutch authorities were ‘convinced’ that Gevers was acting in ‘good faith’ to protect Trump’s security.
“The hacker released the login himself,” Dutch Police explained, according to the BBC. “He later stated to police that he had investigated the strength of the password because there were major interests involved if this Twitter account could be taken over so shortly before the presidential election.”
The White House denied that the breach had occurred, & when Gevers informed Twitter that he was able to guess Trump’s password & access the account, the company stated it was ‘sceptical.’
“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,” a Twitter spokesperson said in a statement.
Dutch Police, however, disagree!
This was not the 1st time Trump’s Twitter was left vulnerable. In 2016, Gevers was also able to guess Trump’s password, “yourefired.”
“Leaving politics & personality aspects aside, this is still the perfect example of senior management being unsavvy about cyber-security issues,” Dirk Schrader, Global VP of New Net Technologies, commented.
“Countless security professionals have had this experience, that implementing stricter password rules in the security policy is approved by management for the company with an exception granted for management itself.
The need to have senior management supporting security initiatives to become cyber-resilient is far too often thwarted by that lack of participation in the efforts. If 2FA is seen as an obstacle, there is no ‘leading by good example’.”
Lapse of Security
Other than vindicating Gevers claims, this confirmation of an ‘embarrassing lapse’ in security out of the White House looks more worrying during the same week the US Govt. is trying to deal with the full extent of the major Solar Winds breach.
During his presidency, outgoing President Trump has used his Twitter account to announce firings at top levels of govt., conduct sensitive diplomatic negotiations with the likes of N. Korean leader Kim Jong-Un & set US domestic policy. A breach could let a malicious actor break markets, start wars & cause chaos worldwide.
US Cyber-Security Emergency
The revelation that the Twitter compromise happeded, despite the White House denial, speaks to a troubling lack of concern & transparency about cyber-security at the very top of the US Govt., researchers warned.
“This serves as vindication for the researcher; however, it also presents a troubling view of how security may have been handled by the administration,” Jack Mannino, CEO at nVisium outlined.
“While you cannot jump to conclusions about practices elsewhere, these types of incidents are generally associated with teams who have a relatively low level of security maturity. This is certainly not what you would expect or hope for from the White House, if it proved to be true.”
While the outgoing Trump administration deals with an ongoing, unprecedented number of breaches both large & small without senior staff in place (ex-CISA Chief Christopher Krebs was ‘unceremoniously’ fired by Tweet by Trump last month after defending the integrity of the presidential election), officials from previous administrations say they see this as a ‘moment of dire emergency’ for the US.
Solar Winds Attack
Former White House Chief Information Officer (CIO) Theresa Payton told CNN that the state of US cyber-security in the wake of the Solar Winds attack is ‘keeping her up at night’.
“I woke up in the middle of the night last night just sick to my stomach,” suggested Theresa Payton, who served as White House CIO under President George W. Bush. “On a scale of one to 10, I’m at a 9, & it’s not because of what I know; it’s because of what we still don’t know.”