A Dutch security researcher says he accessed President Trump’s @realDonaldTrump Twitter account last week by guessing his password: “maga2020!”.
Victor Gevers, a security researcher at the GDI Foundation and chair of the Dutch Institute for Vulnerability Disclosure, which finds and reports security vulnerabilities, told TechCrunch he guessed the president’s account password and was successful on the fifth attempt.
The account was not protected by two-factor authentication, granting Gevers access to the president’s account.
After logging in, he emailed US-CERT, a division of Homeland Security’s cyber unit Cybersecurity and Infrastructure Security Agency (CISA), to disclose the security lapse, which TechCrunch has seen. Gevers said the president’s Twitter password was changed shortly after.
It’s the second time Gevers has gained access to Trump’s Twitter account.
The first time was in 2016, when Gevers and two others extracted and cracked Trump’s password from the 2012 LinkedIn breach. The researchers took his password — “yourefired” — his catchphrase from the television show “The Apprentice” — and found it let them into his Twitter account. Gevers reported the breach to local authorities in the Netherlands, with suggestions on how Trump could improve his password security. One of the passwords he suggested at the time was “maga2020!” he said. Gevers said he “did not expect” the password to work years later.
Dutch news outlet Vrij Nederland first reported the story.
In a statement, Twitter spokesperson Ian Plunkett said: “We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today. We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”
Twitter said last month that it would tighten the security on the accounts of political candidates and government accounts, including encouraging but not mandating the use of two-factor authentication.
Trump’s account is said to be locked down with extra protections after he became president, though Twitter has not said publicly what those protections entail. His account was untouched by hackers who broke into Twitter’s network in July in order to abuse an “admin tool” to hijack high-profile accounts and spread a cryptocurrency scam.
A spokesperson for the White House and the Trump campaign did not immediately comment, but White House deputy press secretary Judd Deere reportedly said the story is “absolutely not true,” but declined to comment on the president’s social media security. A spokesperson for CISA did not immediately confirm the report.
“It’s unbelievable that a man that can cause international incidence and crash stock markets with his Tweets has such a simple password and no two-factor authentication,” said Alan Woodward, a professor at the University of Surrey. “Bearing in mind his account was hacked in 2016 and he was saying only a couple of days ago that no one is hacked the irony is vintage 2020.”
Gevers has previously reported security incidents involving a facial recognition database used to track Uyghur Muslims and a vulnerability in Oman’s stock exchange.
Updated with Twitter comment, and corrected the name of publication which first published the news.