On Thursday, Dutch media outlets reported that security researcher Victor Gevers had accessed President Trump's Twitter account with the password "maga2020!"
But multiple security experts including those who track how Twitter accounts are compromised, as well as a review of the material that Gevers provided to Dutch and other media to corroborate his claim, throw doubt onto the hacking claim.
TechCrunch published a screenshot allegedly showing Gevers' access to Trump's account. The "Bio" section of the screenshotted profile reads "45th President of the United States," which, as the screenshot says, is 46 characters long.
But that is not Trump's bio. Trump's bio reads "45th President of the United States 🇺🇸," including the American flag emoji. This is his bio now, and was also his bio on October 15, around the time the alleged hack is supposed to have taken place, according to the Internet Archive. When entered as a bio into Twitter, that phrase with the emoji is 50 characters in length. Jeffrey Knockel from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto first highlighted this apparent inconsistency to Motherboard. (Motherboard verified this by altering one of our own Twitter profiles).
Here is the image published by TechCrunch showing Gevers' alleged access, with the Twitter bio not including the American flag emoji:
Here is Trump's real bio including the American flag emoji on October 15th, according to the Internet Archive:
Here is a test conducted by Motherboard to show that Trump's bio should be 50 characters in total:
When asked about this inconsistency, Gevers told Motherboard he didn't know what material was provided to the press, and that he wasn't able to provide more evidence since he didn't have access to the device where it was stored. He directed us to Gerard Janssen, one of the Dutch journalists who covered the alleged breach and who provided Motherboard with a copy of the screenshots and other material. Janssen said they would in turn ask Gevers, as "I am sure he has an explanation."
Twitter itself said it had no evidence of the alleged hack.
"We've seen no evidence to corroborate this claim, including from the article published in the Netherlands today," a Twitter spokesperson told Motherboard in an email. "We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government."
Regarding those security measures, which came into effect before Gevers allegedly hacked Trump's account in October, the spokesperson pointed to a September 17 blog post on the company's website called "Improved Account Security during the 2020 US Election." In it, Twitter specified that the security measures were for "US Executive Branch and Congress," which would include the President of the United States' Twitter account. The measures add that those sorts of "Accounts will be required to use a strong password. Accounts with a weak password will be required to update and use a stronger password the next time they log in."
Twitter's own strong password criteria, available elsewhere on the company's website, suggest users should "create a password at least 10 characters long." The password "maga2020!", which is what Gevers allegedly used to log into Trump's account, is nine characters long. Twitter did not respond when asked specifically if high-profile election-related accounts are required to have passwords of at least 10 characters, however.
Although not directly related to breaking into accounts by guessing the password, in 2017 a Twitter contractor briefly deleted Trump's account. After that incident, the company put more robust protections specifically on Trump's account.
Do you know anything else about the alleged breach of Trump’s Twitter account? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Twitter also likely has several mechanisms in place for being able to detect unauthorized access to accounts after a breach.
"I would expect at minimum for every account they would log the IP and device info for every new login," Nicholas Weaver, senior researcher at the International Computer Science Institute at UC Berkeley, told Motherboard in a Twitter direct message. "This would be a 'new device' so it would be trivial for Twitter to verify if true or not." And Twitter says it has no evidence to support the claim of the breach.
Hackers often use automated tools to churn through possible username and password combinations on popular sites. This can be for hijacking, say, Uber, Facebook, or Twitter accounts. This raises questions about how Gevers is allegedly the first person, or at least the first to admit, having breached Trump's account, according to Alon Gal, CTO of Hudson Rock.
"There are claims made that Twitter is actively being bruteforced using dictionary attacks, a password containing just 4 letters, the current year and '!' is extremely common, how do you explain being the first one to enter the account using that password[?]" he told Motherboard in a Twitter direct message.
White House deputy press secretary Judd Deere told various outlets in a statement, “This is absolutely not true, but we don’t comment on security procedures around the President’s social media accounts.”
Update: This piece has been updated to clarify Gevers’ comments on why he said he was unable to address the inconsistency with the flag emoji.