Three “grumpy old hackers” in the Netherlands managed to access Donald Trump’s Twitter account in 2016 by extracting his password from the 2012 Linkedin hack.
The pseudonymous, middle-aged chaps, named only as Edwin, Mattijs and Victor, told reporters they had lifted Trump’s particulars from a database that was being passed about hackers, and tried it on his account.
To their considerable surprise, the password – but not the email address associated with @realdonaldtrump – worked the first time they tried it, with Twitter’s login process confirming the password was correct.
The explosive allegations were made by Vrij Nederland (VN), a Dutch magazine founded during WWII as part of the Dutch resistance to Nazi German occupation.
“A digital treasure chest with 120 million usernames and hashes of passwords. It was the spoil of a 2012 digital break-in,” wrote VN journalist Gerard Janssen, describing the LinkedIn database hack. After the networking website for suits was hacked in 2012 by a Russian miscreant, the database found its way onto the public internet in 2016 when researchers eagerly pored over the hashes. Critically, the leaked database included 6.5 million hashed but unsalted passwords.
Poring through the database, the trio found an entry for Trump as well as the hash for Trump’s password: 07b8938319c267dcdb501665220204bbde87bf1d. Using John the Ripper, a hash-reversing tool, they were able to uncover one of the Orange One’s login credentials. Some considerable searching revealed the correct email address (firstname.lastname@example.org – a different one from the one Trump used on LinkedIn and which was revealed in the hack)… only for the “middle aged” hackers to be defeated by Twitter detecting that the man who would become the 45th president of the United States had logged in earlier from New York.
One open proxy server later, they were in.
VN published screenshots supplied by the three showing a browser seemingly logged into Trump’s Twitter account, displaying a tweet dating from 27 October 2016 referring to a speech Trump delivered in Charlotte, North Carolina, USA.
The Dutch hackers also alleged that they found Trump’s details in a database hacked from Ashley Madison, a dating website aimed at cheating spouses. Amusingly, just 1.4 per cent of its 31 million users were actual women.
Despite trying to alert American authorities to just how insecure Trump’s account was (no multi-factor authentication, recycled password from an earlier breach) the hackers’ efforts got nowhere, until in desperation they tried Netherland’s National Cyber Security Centrum – which acknowledged receipt of their prepared breach report, which the increasingly concerned men had prepared immediately once they realised their digital trail was not particularly well covered.
“In short, the grumpy old hackers must set a good example. And to do it properly with someone they ‘may not really like’ they think this is a good example of a responsible disclosure, the unsolicited reporting of a security risk,” concluded VN’s Janssen.
Professor Alan Woodward of the University of Surrey added: “It’s password hygiene 101: use a different password for each account. And, if you know a password has been compromised in a previous breach (I think LinkedIn is well known) then for goodness sake, don’t use that one. [This is] a textbook example of credential stuffing.”