The tweets appear to have been sent not by hacking Dorsey’s actual account, but by the hacker or hackers convincing Twitter’s systems that they had his phone and were texting the tweets to his account. It’s likely the hacker or hackers wouldn’t even have needed Dorsey’s password, or ever been prompted for it.
CNN confirmed this would work using a newly registered account, which Twitter automatically opted in to texting by tweet. Then, with a phone that has never been used to log into Twitter, and without ever being asked for any password, a CNN reporter was able to send a tweet by text.
Hackers could potentially use this method to send tweets from other accounts belonging to prominent figures -— including American elected officials who are frequent Twitter users, like President Trump — so long as the targets haven’t opted out of tweeting by text. The White House and the Secret Service did not immediately respond to requests for comment as to whether Trump’s account has tweeting by text enabled.
This method of tweeting may have once seemed like a useful and harmless feature. But a phone number is considered far less of a secure identifier today than it was in 2010. The past few years have seen the rise of “sim jacking,” in which a hacker will convince a phone carrier that they’ve lost their SIM card and request that number be transferred to a new card.
In 2012, Twitter published a blog post responding to reports that it might be possible for hackers to spoof a phone number and send tweets by text in this way. In that post, it specifically denied that US users could be vulnerable to such a hack.
Twitter declined to comment beyond its tweets about Dorsey.