Security Experts:

Twitter Temporarily Disables Tweeting via SMS After CEO Hack

Twitter announced on Wednesday that it has decided to temporarily disable the feature that allows users to post tweets via SMS, in an effort to protect accounts.

“We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication (we’re working on improving this),” Twitter said.

It added, “We’ll reactivate this in markets that depend on SMS for reliable communication soon while we work on our longer-term strategy for this feature.”

The decision comes after a hacker group called Chuckling Squad hijacked the account of Twitter CEO Jack Dorsey and posted offensive messages and even bomb threats. The unauthorized tweets were visible for roughly half an hour before being removed.

The hackers used a technique called SIM swap to pull off the attack. They used social engineering to convince an AT&T employee to transfer Dorsey’s phone number to their own SIM card. Once they gained control of Dorsey’s number, they used a Twitter-owned service named Cloudhopper to post tweets to the CEO’s account.

Cloudhopper allows users to tweet, follow or unfollow users, and make configuration changes by sending SMS messages from a phone number linked to their Twitter account to a specific number. In the attack against Dorsey, this allowed the hackers to post tweets without actually having to log in.

Other high-profile individuals, particularly social media influencers, have also been targeted by Chuckling Squad using SIM swapping.

Related: Twitter CEO Hack Highlights Dangers of 'SIM Swap' Fraud

Related: Twitter Again Admits Sharing User Data Without Permission

Related: Scotland Yard Twitter and Emails Hacked

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.