The Hacker News — Cyber Security, Hacking, Technology News

It seems like the new American President's Twitter account could easily be hacked due to security blunders he made with the most powerful Twitter account in the world, experts warned.

Days after we got to know that the newly inaugurated President Donald Trump was still using his old, insecure Android smartphone, it has now been revealed that the official @POTUS Twitter account was linked to a private Gmail account.

Since we are already aware of the potential scandal with government officials using outside email systems following the hack of private e-mail servers of Hillary Clinton and George W. Bush, the choice of using private, non-government email address by Trump has raised serious concerns about the security of the White House's closely watched account.

To gain control of the official @POTUS Twitter account, which may or may not is secured with some form of two-factor authentication, all an attacker needs to do is hack the email address associated with the account, which controls the password reset process.

A hacker, @WauchulaGhost, who discovered this issue also reported similar weaknesses in the email linked to the First Lady Melania Trump (@FLOTUS) and VP Mike Pence (@VP), said CNN.

WauchulaGhost, who took down more than 500 ISIS Twitter accounts in the past, said he would not hack the @POTUS Twitter account or Twitter accounts of other White House officials; instead, he just wanted to issue a warning to upgrade the security of these accounts.

Fortunately, all those Twitter accounts were switched over to the White House-affiliated private email clients by just yesterday morning, but so far only Trump's personal Twitter account is apparently protected by two-factor verification, which requires users to enter a one-time passcode sent to their phone.

Also Read: Donald Trump's Email Servers are Horribly Insecure — Researcher Reveals

However, Trump's personal Twitter account still involves some substantial information security risks, since he is still using the insecure device to post messages from the White House, according to numerous reports quoting unnamed White House sources, which could allow malicious actors to gain access to the account through his phone itself.

Trump Press Secretary May Have Just Tweeted His Password,  Twice!

Another example of security blunders came yesterday when Press Secretary Sean Spicer believed to have tweeted his own Twitter password — particular combination of letters and numbers (n9y25ah7) — by mistake.

And since the email address used for the Spicer's Twitter account (@PressSec) was already known, it would have taken just a few seconds to log into it.

Overall, it is not a good start for the nascent Trump administration as far as cyber security is concerned. And if this continues, the new president will be the next target for hackers.

The world came to know about massive data breaches in some of the most popular social media websites including LinkedIn, MySpace, Tumblr, Fling, and VK.com when an unknown Russian hacker published the data dumps for sale on the underground black marketplace.

However, these are only data breaches that have been publicly disclosed by the hacker.

I wonder how much more stolen data sets this Russian, or other hackers are holding that have yet to be released.

The answer is still unknown, but the same hacker is now claiming another major data breach, this time, in Twitter.

Login credentials of more than 32 Million Twitter users are now being sold on the dark web marketplace for 10 Bitcoins (over $5,800).

LeakedSource, a search engine site that indexes leaked login credentials from data breaches, noted in a blog post that it received a copy of the Twitter database from Tessa88, the same alias used by the hacker who provided it hacked data from Russian social network VK.com last week.

The database includes usernames, email addresses, sometimes second email addresses, and plain-text passwords for more than 32 Million Twitter accounts.

Twitter strongly denied the claims by saying that "these usernames and credentials were not obtained by a Twitter data breach" – their "systems have not been breached," but LeakedSource believed that the data leak was the result of malware.

"Tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter," LeakedSource wrote in its blog post.

But, do you remember how Facebook CEO Mark Zuckerberg Twitter account was compromised?

The hackers obtained Zuck's account credentials from the recent LinkedIn data breach, then broke his SHA1-hashed password string, tried on his several social media accounts and successfully hacked Zuckerberg’s Twitter and Pinterest account.

So, one possibility could also be that the alleged Twitter database dump of over 32 Million users is made up of already available records from the previous LinkedIn, MySpace and Tumblr data breaches.

The hacker might just have published already leaked data from other sites and services as a new hack against Twitter that actually never happened.

Whatever the reason is, the fact remain that hackers may have had their hands on your personal data, including your online credentials.

So, it’s high time you changed your passwords for all social media sites as well as other online sites if you are using the same password.