Last Friday, Dutch ethical hacker Victor Gevers managed to gain access to Donald Trump’s Twitter account. He was simply checking if the account was secure, when, after just a couple of attempts, he guessed the right password. Again. Because, as unbelievable as it may sound, Victor Gevers hacked Trump’s account before, in 2016.
Defenders of The Internet
Victor Gevers, 44, is a senior security specialist who works as an innovation manager for the Dutch government, specializing in network, mobile and web application security. In his spare time, he also leads the independent not-for-profit organization GDI.foundation, a network of 38 volunteers that addresses security issues with responsible disclosures.
Gevers and his foundation have already reported many thousands of data leaks and other vulnerabilities on the internet. “For every data breach that has made headlines, the GDI.foundation has prevented one hundred others. Most of them will never see the light of day”, the Dutch magazine Vrij Nederland reported. In the last 4 years, the GDI.foundation reported over a million security issues and data leaks. 926,000 of these issues have been fixed.
Easy to Guess Password
On October 16, a rather odd tweet appeared on Donald Trump’s Twitter timeline: “Twitter Shuts Down Entire Network To Slow Spread Of Negative Biden News [link] via @TheBabylonBee. Wowo, this has never been done in history […].” Babylon Bee is a satirical website aimed at Trump supporters.
Victor Gevers didn’t confirm whether he was the one who posted the Babylon Bee tweet, but he alludes that he might have and certainly could have. That Victor Gevers did have access to the @realDonaldTrump account (with 87.3 million followers) is evident from screenshots viewed by Vrij Nederland and RTL News, as confirmed by their reports.
Gaining access to Donald Trumps’ account was easy. Victor Gevers tried 7 different passwords: “yourefired!, IWillAmericaGreatAgain!, MakeAmericaGreatAgain, MakeAmericaGreatAgain!, Maga2020, Maga2020!, and maga2020!” The last one – an often-used abbreviation for Trump’s slogan – was a hit.
No Two-Factor Authentication
To Victor Gevers’ surprise, two-factor authentication was disabled on Trump’s Twitter account. This means that Victor Gevers had full access to the account and could indeed tweet on Trump’s behalf. If he had wished, he could also have changed the account’s password and profile picture, or downloaded a data file with all of Trump’s direct messages, etc.
However, according to Victor Gevers, that was not his intent. “A sense of moral duty kicked in. There’s this unwritten code in Responsible Disclosure. Each person deserves the right to a decent report. Including Donald Trump”, Victor Gevers said to Vrij Nederland. Attempts to get a warning to the president failed. Therefore, he decided to leave behind “a bit more digital evidence” than in 2016.
It Was Not His First Time
As bizarre as it may sound, this was not the first time that Victor Gevers hacked Trump’s Twitter account. In 2016, together with two of his friends, he sifted through a list of leaked LinkedIn passwords during a hacking conference in the Belgian city of Ghent. They discovered a password linked to an email address that seemed to belong to Trump: “yourefired”.
That LinkedIn breach happened in 2012. Meaning Trump was still using the same password four years later and reused the same password for his LinkedIn and Twitter accounts. This despite the fact that one of the basic rules to creating a secure password is to never reuse the same password and change passwords on a regular basis!
Just like in 2016, in the current incident, Victor Gevers immediately reported the vulnerability not only to Trump, but also to the White House, Twitter, CISA and the US government. On Tuesday evening 20 October 2020, the US government finally contacted Victor Gevers, said Vrij Nederland. Their message? “Thank you, dear infosec community, for helping to get ‘first contact’ – Responsible disclosure #5780 will be handled by the experts now.”
An IQ of a 197
One day prior, Donald Trump was holding a campaign rally in Arizona, where he discussed hackers and Hunter Biden’s laptop. “I have never known anyone who says they have been hacked or who has been hacked. Nobody gets hacked. To be hacked you need someone with an IQ of a 197, and he needs to know 15% of your password. Doesn’t happen.”