On last Friday the world was shocked to learn that the CEO of Twitter, Jack Dorsey also suffered from hacking and the thing that got hacked was none other than his own Twitter account with 4.2 million followers.
A group of hackers got access to his account and started using it to start sending out offensive messages as well as placing plugs for their discord channel. While it only took only 15 minutes to regain the control back for the account, this incident reminded everyone as to how vulnerable the internet world is even for the high profile accounts and also how insecure are the phone-based authentications.
How did they do it?
The big question everyone was asking is, how they did it. Well, they did by getting through the text-to-tweet service which is being operated by an acquired service named Cloudhopper. Twitter users using the Cloudhopper can post their tweets by texting only messages to a code number which is normally 40404. This is a useful technique in case you don’t have access to the device with the Twitter app on it. This system only requires for a user’s phone number and then links it to their Twitter account. This allows for many users to post tweets on their Twitter account from simply texting a message and sending it to Cloudhopper for posting.
Now coming to the part how the hacker got hold of Jack Dorsey’s account. As you know it is not that hard to get access to his phone number and then a security oversight allowed the hackers to gain control. This type of hacking has been named as SIM hacking which works by convincing the SIM carrier to assign the number, in this case of Dorsey, to another phone that the hackers had control of.
This technique is not that new and is often being sued to steal either Instagram handles of high value or Bitcoins.
How to protect against the SIM Hacking:-
Users can protect themselves from SIM hacking by adding a PIN Code to their carrier account or making registrations for web accounts for sites like Twitter through dummy phone numbers.