Hackers managed to take control of Twitter CEO Jack Dorsey's account for about 15 minutes on Friday afternoon.
Of course, right after that they started celebrating with tweets that were not so elegant. Before the technicians could get the account back and delete the tweets, the hackers announced their name: Chuckling Squad. It is a group that has recently managed to breach several YouTube star accounts.
A brief hacking of a high-profile person's account may seem like a simple, or at least simpler, hack to hack into a company's systems.
However, this profile was the CEO of a large social media company, and was violated on his own platform.
After Friday's hack, we can focus on three points that many of us have probably forgotten.
Check your Twitter app permissions now.
The details of Friday's hack have not been revealed, but tweets from Dorsey's account appear to have been posted using a service called Cloudhopper.
Twitter acquired a startup called Cloudhopper in 2010, The app allows users to post tweets from their phone via SMS or text messages without logging into Twitter. If Jack Dorsey had enabled Cloudhopper, it may have allowed hackers to post from his account without having to steal his Twitter password. There were also indications that they gained access to his number mobile of his phone, through a technique called SIM-swapping, instead of his Twitter account.
Cloudhopper is not an accidental, malicious third-party application. It has long been integrated into Twitter itself. Surely no one knows if Dorsey could have prevented the attack by disabling it.
However, it is a good reminder that your account can be compromised through various applications and services that you have given access to and over time you have completely forgotten about them, as Dorsey may have forgotten Cloudhopper.
Checking your Twitter permissions should be frequent and if you haven't done so you should do so now. If you see applications that you do not recognize or trust, you should revoke their access from your account.
https://twitter.com/settings/applications
Let's look at Sim swapping
Security experts warn for a long time for a SIM replacement technique. Basically someone is convincing the mobile phone provider to change your SIM card. How; They can pretend to be you, or they can pay an employee, or work with someone in the company. We will not look for it, but it has happened and will continue to happen.
Once they get access to the card, they essentially have your phone: not the hardware but your phone line itself. This is of course a huge problem because the default method of protecting various online accounts is two-factor authentication, which often uses your hotline. So if an app like Facebook or Twitter asks for a verification code to give you access, the password will be sent to the phone of the person who stole your number.
In this case, it seems the hackers needed the phone number for Cloudhopper. Security investigators say Dorsey's account was probably created with a change of SIM, as this is the way the Chuckling Squad team is used.
Unfortunately, you can do nothing to fully protect yourself from an attack Sim-swapping. One measure that can help you is to use authentication applications such as Google Authenticator, instead of your phone number, for the two-factor authentication you use, to the services that allow it, of course.
It could have been worse
A hack on a CEO's account is not the best thing for a company's reputation. But imagine what could happen if President Trump's account was violated.
A capable hacker who could gain access to an account like Trump's could, in theory, cause significant damage.
Imagine if he could post tweets that shake markets or move military forces. Jack Dorsey has been reporting for years that the better safety of Twitter is a more important priority. After that it should review its user protection practices. So that we don't see worse.
