When Dutch ethical hacker Victor Gevers tried to alert Secret Service that he was able to guess the password to President Donald Trump’s Twitter handle last October, there were plenty of skeptics, most notably at the White House. Now, Dutch prosecutors have determined Gevers did, in fact, guess the password to the world’s most powerful Twitter account, but said that he will not be charged with a crime because he was acting honorably to track down vulnerabilities associated with high-profile accounts.
Ethical Hacker Vindicated
“This is not just about my work but all volunteers who look for vulnerabilities in the internet,” Gevers told the BBC. Gevers is a respected cyber-researcher who works for the Dutch government by day and in his spare time runs the ethical hacking non-profit GDI Foundation.
Gevers said last fall he was performing a random check of high-profile Twitter accounts. It only took him five guesses to come up with the right one for @realdonaldtrump, “MAGA2020!” He said beyond the incredibly weak password, two-factor authentication (2FA) had not been enabled on the account.
2FA generates a unique code, sent by email or text to a known device, which must be entered to log in. After Gevers reported the issue to Secret Service and a number of other agencies, including to the White House directly, he received no response but noticed the account was secured with 2FA two days later.
Once logged in, Gevers was able to access Trump’s private messages, photos, bookmarks and list of accounts he had blocked.
At the time, Gevers speculated Trump didn’t have basic protections in place because they’re a hassle, adding, “…elderly people often switch off two-step verification because they find it too complicated.”
Dutch Prosecutors Defend Hack
Following an investigation, Dutch authorities were convinced that Gevers was acting in good faith to protect Trump’s security.
“The hacker released the login himself,” Dutch police said, according to BBC. “He later stated to police that he had investigated the strength of the password because there were major interests involved if this Twitter account could be taken over so shortly before the presidential election.”
The White House denied that the breach occurred, and when Gevers informed Twitter that he was able to guess Trump’s password and access the account, the company said it was skeptical.
“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,” a Twitter spokesperson said in a statement responding to Threatpost’s inquiries.
Dutch police disagree.
This wasn’t the first time Trump’s Twitter was left vulnerable. In 2016, Gevers was also able to guess Trump’s password, “yourefired.”
“Leaving politics and personality aspects aside, this is still the perfect example of senior management being unsavvy about cybersecurity issues,” Dirk Schrader, global vice president of New Net Technologies, told Threatpost. “Countless security professionals have had this experience, that implementing stricter password rules in the security policy is approved by management for the company with an exception granted for management itself. The need to have senior management supporting security initiatives to become cyber-resilient is far too often impeded by that lack of participation in the efforts. If 2FA is seen as an obstacle, there is no ‘leading by good example’.”
Besides vindicating Gevers claims, this confirmation of an embarrassing lapse in security out of the White House looks more ominous during the same week the U.S. government is trying to grapple with the full extent of the Solar Winds breach.
Over the course of his presidency, Trump has used his Twitter account to announce firings at the top levels of government, conduct sensitive diplomatic negotiations with the likes of North Korean dictator Kim Jong-Un and set domestic policy. A breach could let a malicious actor tank markets, start wars and cause chaos throughout the globe.
U.S. Cybersecurity Emergency
The revelation that the Twitter compromise was real, despite the White House denial, hints at a troubling lack of concern and transparency about cybersecurity at the very top of the government, researchers said.
“This serves as vindication for the researcher; however, it also presents a troubling view of how security may have been handled by the administration,” Jack Mannino, CEO at nVisium told Threapost. “While you can’t jump to conclusions about practices elsewhere, these types of incidents are generally associated with teams who have a relatively low level of security maturity. This is certainly not what you would expect or hope for from the White House, if it proved to be true.”
While the Trump administration grapples with an ongoing, unprecedented number of breaches both large and small without senior staff in place (CISA chief Christopher Krebs was unceremoniously fired by Tweet by Trump last month after defending the integrity of the presidential election), officials from previous administrations say they see this as a moment of dire emergency for the country.
Former White House Chief Information Officer Theresa Payton told CNN that the state of U.S. cybersecurity in the wake of the Solar Winds attack is keeping her up at night.
“I woke up in the middle of the night last night just sick to my stomach,” said Theresa Payton, who served as White House CIO under President George W. Bush. “On a scale of one to 10, I’m at a nine — and it’s not because of what I know; it’s because of what we still don’t know.”