The official Twitter account of Jack Dorsey, the CEO of the social media platform, was hacked on Friday and used to broadcast racial slurs and a bomb threat.
Shortly before 1 p.m. in San Francisco on Friday, Dorsey's @jack account tweeted a link to a Discord chat and RT'd a series of tweets, including one that read, "follow me i am jacks daddy." The account also tweeted a string of racist slurs and a bomb threat directed at Twitter's headquarters. The tweets were removed within about 20 minutes of publication.
"The phone number associated with the account was compromised due to a security oversight by the mobile provider," a company spokesperson said in a statement. "This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved."
A source familiar with the situation confirmed that Dorsey had been "SIM swapped," or a process in which a hacker takes over a victim’s mobile phone number, and with that cellular account access, gains controls to applications connected to the phone number. This can happen if a hacker uses some personal information about a person — like the last four digits of a Social Security number, a credit card number, or even a fake ID — and calls the victim’s carrier’s customer service to move a mobile account over to another SIM card.
A Twitter spokesperson would not confirm if that was the case and did not say which mobile carrier Dorsey employed. They also didn't comment on the Twitter CEO's whereabouts. When asked if the hackers had further access to Dorsey's account like his direct messages, the spokesperson declined to comment.
Discord, a messaging app that's popular with gamers, took down the server hosting the chat tweeted by the @jack account. Before the server was taken down, BuzzFeed News discovered discussions suggesting the hackers might target President Donald Trump's account next.
Dorsey's hacked tweets were posted to Twitter through an app called Cloudhopper, which was acquired by Twitter in 2010 and enables SMS-based tweeting.
The incident is a humiliating blow for Twitter, which has long struggled to police hate and abuse on its platform. In 2017, the company beefed up its login verification, adding the ability to add an authenticator app, in addition to SMS text messages, as an extra layer of security in order to mitigate hacked accounts on the platform.
Friday's incident reminded some of a November 2017 incident in which a disgruntled Twitter contractor took Trump's account offline for 11 minutes. That contractor, who had been at Twitter for four months, had the tools to unilaterally deactivate one of the most followed accounts on the service, leading some to question the security protocols in place at Twitter headquarters.
A former Twitter employee, who spoke to BuzzFeed News under the condition of anonymity for fear of retribution, called the incident "extra brutal" for the company given that it appears it was attacked using its own product, Cloudhopper. That person recalled that Twitter acquired Cloudhopper in 2010 because of ballooning SMS costs.
It's also a black eye for Dorsey, who has shunned efforts to better secure him and his devices, according to the source. The person recalled that Dorsey, who prefers to do the majority of his work from his iPhone, rejected a more secure laptop to work from by Twitter's security team. Part of the reason, the person said, was that Twitter's CEO did not like to carry items with him during his long walks.
A different former employee noted that "exec account security used to be a disaster." That person recalled how security managers often complained about how few Twitter executives used two-factor authentication.
A Twitter spokesperson declined to comment on Dorsey's security measures.
This also wasn't the first time that Dorsey's account has been compromised. In July 2016, a hacker collective known was OurMine was able to post from his account by taking over a Vine account that was linked to Dorsey's Twitter. Vine, a short video sharing service, was bought by Twitter in 2012 before it was shuttered in late 2016.
Tess Russell, a product manager at Vine at the time, said that while the messages that OurMine posted at the time were innocuous — the group simply noted they were testing the Twitter CEO's security — it was a wake up call for people at the company.
"It showed that even [Dorsey] was vulnerable," she said. In meetings discussing what happened after the incident, she recalled managers telling employees to revoke access to apps they were no longer using and to keep passwords to company standards.
Friday's incident, she said, seemed like "a relatively similar situation" where hackers used a different service to access and post from his Twitter account.
"That's the whale," Russell said, noting that hackers were probably look to inflict embarrassment and confusion. "That's the gold."
Ryan Broderick contributed reporting to this story.