A security researcher reportedly logged in to President Trump’s Twitter account last week by guessing the password—it was “maga2020!”—and then alerted the US government that Trump needed to upgrade his Twitter security practices.
Security researcher Victor Gevers reportedly guessed Trump’s password on the fifth attempt and was dismayed that the president had not enabled two-step authentication. The news was reported today by de Volkskrant, a Dutch newspaper, and the magazine Vrij Nederland. Both reports had quotes from Gevers, while Vrij Nederland also published a screenshot that Gevers says he took when he had access to the @realdonaldtrump account.
Gevers reportedly gained access to Trump’s Twitter account on Friday last week. He says he tried passwords such as “MakeAmericaGreatAgain” and “Maga2020” before hitting on the correct password of “maga2020!” Gevers is a well-known security researcher and has been quoted in several Ars articles on other security topics going back to 2017. He is a researcher at the nonprofit GDI Foundation and chair of the Dutch Institute for Vulnerability Disclosure.
“I expected to be blocked after four failed attempts” or at least be “asked to provide additional information,” Gevers said, according to de Volkskrant. The report said:
The Dutchman alerted Trump and American government services to the security leak. After a few days, he was contacted by the American Secret Service in the Netherlands. This agency is also responsible for the security of the American President and took the report seriously, as evidenced by correspondence seen by de Volkskrant. Meanwhile Trump’s account has been made more secure.
Trump account tweeted satire article about Biden
On the same day Gevers allegedly hacked into Trump’s Twitter account, the account tweeted a satirical article by the Babylon Bee titled, “Twitter Shuts Down Entire Network To Slow Spread Of Negative Biden News.” Trump was seemingly fooled by the satirical news site, but the Vrij Nederland article suggests the tweet might have been sent by Gevers when he had access to Trump’s profile.
“I am not saying I did it,” Gevers said, according to Vrij Nederland. “But what if I was the one to post the tweet? Then Trump will need to either admit to never having read the Babylon Bee article and posting this bullshit tweet, OR he will need to acknowledge that someone else posted the tweet.” The tweet still has not been deleted.
Twitter today said it has “seen no evidence to corroborate this claim” that Trump’s account was hacked, according to an article by The Independent. But Twitter also said it has “proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”
Twitter’s statement doesn’t disprove Gevers’ claim. We contacted Gevers today, and he confirmed to Ars that he logged in to Trump’s Twitter account using the password “maga2020!” and that this was the “second time in four years” that he accessed Trump’s Twitter account. Gevers and two other researchers say they got into Trump’s Twitter account in 2016 by obtaining his password from a data breach, with the password at that time being “yourefired.”
White House Deputy Press Secretary Judd Deere also denied Gevers’ claim, telling Forbes, “This is absolutely not true, but we don’t comment on security procedures around the president’s social media accounts.”
Trump wasn’t informed of 2016 hack
Gevers says he reached out to the Trump team in 2016 but later found out that “Donald Trump never received our emails in 2016,” Vrij Nederland quoted Gevers as saying. “Nobody informed him back then, either. He was never informed of the fact that three people from the Netherlands tried to inform him in a timely matter.”
Gevers was successful in getting through to the Trump team this time. This past Saturday, “I suddenly saw that two-step verification for the account had been activated,” Gevers said, according to de Volkskrant. He also heard from the US Secret Service, which “thank[ed] Gevers, telling him that they were unaware of the security leak,” the article said.
Gevers is still concerned about the security of prominent Twitter accounts like Trump’s. “Why is it possible for someone from a different time zone to log in to such an important account? Why doesn’t Twitter demand better passwords? If I can access his account, then foreign nations can do so as well, right? Why aren’t the persons who are supposed to protect the president informed when someone reports that his account is unsafe?” he told de Volkskrant.
The security burden isn’t all on Twitter itself—Twitter users have to take action on their own to protect their accounts. “To put it harshly: people who in the year 2020 still ignore basic advice on online security are a potential danger to themselves and to those around them,” Secura security researcher Matthijs Koot told de Volkskrant.
Trump might have had a hard time believing that his account was hacked. At a campaign event in Arizona on Monday, three days after Gevers apparently hacked his Twitter account, the president claimed that “nobody gets hacked. To get hacked, you need somebody with a 197 IQ and he needs about 15 percent of your password.”