A security researcher claims he hacked President Donald Trump’s Twitter account earlier this month, guessing that his password was “maga2020!” and possibly posting a tweet where Trump appeared to take a satirical article seriously. Dutch newspaper de Volkskrant and magazine Vrij Nederland reported the news earlier today, citing screenshots and interviews with the researcher, Victor Gevers.
But when reached for comment, both Twitter and the White House vigorously denied the claim.
“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today,” a Twitter spokesperson told The Verge. “We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”
White House deputy press secretary Judd Deere also denied the report. “This is absolutely not true,” he told The Verge, “but we don’t comment on security procedures around the President’s social media accounts.”
Vrij Nederland reported last month that Gevers and two other hackers had successfully breached Trump’s Twitter account in October 2016. According to its new report, Gevers decided to run a new security test in 2020 by plugging in the old password. That password (“yourefired”) didn’t work, but Gevers discovered that Trump didn’t have two-factor authentication enabled — a remarkable weakness for a hugely important account. He guessed a handful of other passwords and was granted access after five other tries.
Twitter didn’t specify exactly what security measures had been implemented for Trump’s account. The company began requiring strong passwords and seriously encouraging two-factor security in September following a breach of several high-profile accounts, but it’s theoretically possible that the Trump campaign disabled that additional measure.
Vrij Nederland also suggests that Gevers was responsible for a strange tweet sent by Trump on October 16th. The tweet cited the satirical publication The Babylon Bee in an apparently serious capacity. Gevers apparently wouldn’t confirm this to Vrij Nederland, but he said that if he had, then “Trump will need to either admit to never having read the Babylon Bee article and posting this bullshit tweet, OR he will need to acknowledge that someone else posted the tweet.”
Trump claimed during a speech earlier this week that “nobody gets hacked,” except by someone with a “197 IQ” and “about 15 percent of your password.” Trump has previously admitted that a hacker breached his Twitter account in 2013.
Gevers — a respected security expert and co-founder of the nonprofit GDI Foundation — says he made numerous attempts to contact Trump about the vulnerability. de Volkskrant reports that the American Secret Service in the Netherlands reached out to Gevers and “took the report seriously,” according to correspondence seen by the reporters. (The US Secret Service press line didn’t immediately respond to an email from The Verge.) In a direct message to The Verge, Gevers says he also attempted to contact Twitter multiple times with “zero luck.”
Gevers didn’t confirm whether he sent the Babylon Bee tweet. But he says that despite gaining access to Trump’s account, he didn’t make changes to it. “That is not ethical and goes too far. That is not covered by a responsible disclosure / coordinated vulnerability disclosure,” he said. “Or, in plain English, a dick move.”