Dutch Prosecutors Say One Man Got Into Trump's Twitter Account With 'MAGA2020!' Password

from the p@ssw0rd! dept

This sort of thing will never stop amazing me. For any American President, one would assume they would have all kinds of advisers on all matters regarding security and best practices when it comes to the systems and technology they use. I’m old enough to remember when everyone freaked out over Barack Obama using a Blackberry, but at the time I hand-waived any such concerns under the assumption that there were checks in place to make such technology secure.

So how in the world did Donald Trump, often called America’s first Twitter President, manage to have his Twitter account accessed using a laughably predictable password and 2-factor authentication?

Dutch prosecutors have found a hacker did successfully log in to Donald Trump’s Twitter account by guessing his password – “MAGA2020!” But they will not be punishing Victor Gevers, who was acting “ethically”.

Mr Gevers shared what he said were screenshots of the inside of Mr Trump’s account on 22 October, during the final stages of the US presidential election. But at the time, the White House denied it had been hacked and Twitter said it had no evidence of it.

For what it’s worth, both the White House and Twitter are both still claiming that they don’t see any evidence that Gevers did in fact access Trump’s Twitter account. That being said, Gevers is said to have provided evidence for what he’d done to Dutch police and the prosecutors there seem utterly convinced that Gevers did precisely what he said he had.

Dutch police said: “The hacker released the login himself.

“He later stated to police that he had investigated the strength of the password because there were major interests involved if this Twitter account could be taken over so shortly before the presidential election.”

They had sent the US authorities their findings, they added.

For any other president, this sort of unauthorized access would be frustrating and somewhat concerning. For this president, however, who routinely announces hirings and firings of government employees via Twitter, and occasionally even announces American policy that way, it’s horrifying. Someone who was actually nefarious could have created all kinds of chaos at the very least, or precipitated real life wars at worst, just by tweeting out from Trump’s account. Imagine a world where a bad actor accesses Trump’s account and tweets “America has declared war on North Korea. The battle begins in hours.” It’s not inconceivable that Seoul would be lost under North Korean artillery… or worse.

It’s also worth noting that Gevers claims this isn’t the first time he got access to Trump’s account.

Earlier this year, Mr Gevers also claimed he and other security researchers had logged in to Mr Trump’s Twitter account in 2016 using a password – “yourefired” – linked to another of his social-network accounts in a previous data breach.

The best people are apparently not advising the president on how to keep his vaunted Twitter account secure.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Dutch Prosecutors Say One Man Got Into Trump's Twitter Account With 'MAGA2020!' Password”

Subscribe: RSS Leave a comment
65 Comments

This comment has been flagged by the community. Click here to show it.

davedave (profile) says:

Sure. This story is completely credible. No-one else ever tried that one…

It’s just an undisprovable defence which Dutch prosecutors were happy to accept given the prosecution was probably not in the public interest anyway.

It’s clear he did guess the password, but it obviously wasn’t quite that easy to guess. The story is true apart from what the password actually was.

This comment has been deemed insightful by the community.
sehlat (profile) says:

The best people...

The best people are apparently not advising the president on how to keep his vaunted Twitter account secure.

That’s rather an assumption. Trump is infamous for clinging to his delusions rather than taking advice. The best people may be advising him, but the chances of the advice being taken are low. Very low.

This comment has been deemed insightful by the community.
That One Guy (profile) says:

Re: Having 'the best people' doesn't matter if you ignore them

That was my first thought as well, in that it’s more likely that Trump has been told about his abysmal security practices but simply refuses to listen since remembering a strong password would take work and he’s deathly allergic to that.

Scary Devil Monastery (profile) says:

Re: The best people...

"The best people may be advising him"

Until they said something he didn’t like to hear and then the "next best people" were advising him instead. Until they said something he didn’t want to hear…

Judging by his current performance he’s now taking advice from the guy who failed his municipal janitor application for sniffing glue while presenting the used toilet paper making up his resume.

This comment has been deemed insightful by the community.
WarioBarker (profile) says:

Twitter saying there’s no evidence may suggest this guy’s lying and made up what he presented to Dutch authorities.

The best people are apparently not advising the president on how to keep his vaunted Twitter account secure.

I’d say it’s more likely that they have – many times – but Trump either doesn’t listen or doesn’t care.

That One Guy (profile) says:

Re: Re: Re:

Multiple failed password attempts that differ significantly from each other would probably do it. It’s one thing to get a letter or number wrong in an attempt to input a password, there’s nothing surprising or suspicious about that, but if multiple attempts are made and they are using different words then that’s a pretty good indicator that someone other than the account owner is trying to gain access.

PaulT (profile) says:

Re: Re: Re:3 Re:

I couldn’t help but think of this:

https://twitter.com/barrydeutsch/status/1024567665094930432/photo/1

But, who has the AG do what now? Barr has quit, the new guy won’t realistically have time to prepare anything meaningful and any executive orders can presumably be overruled by Biden the moment he takes office. Hell, Trump won’t even have access to the @POTUS account on January 20th.

Unless I’m missing something, or some major hail Mary move somehow blocks Biden from being President, there’s little Trump can actually do. Sure, he’ll spend his days ranting on Parler or Fox (or, maybe OANN/whatever the new flavour of the month is since Fox has told the truth too many times for his tastes recently) and there will be no shutting the cultists up, but his ability to abuse the government’s power to fight his petty personal squabbles will be ending very soon.

I have no doubt that we will continue being tired of hearing about him in 2021, but his ability to directly influence things will soon be over, and I have serious doubts that he is going to retain any meaningful control in the background as a private citizen.

Scary Devil Monastery (profile) says:

Re: Re: Re:4 Re:

"I couldn’t help but think of this:"

Yeah, that remarkably accurate depiction of a Trump cultist denied space on a single platform was what I was thinking of as well. ????
That exact comic sequence seems to be enacted by republican and democrat senators in plays carried out every day right on the senate floor.

"Unless I’m missing something, or some major hail Mary move somehow blocks Biden from being President, there’s little Trump can actually do."

There are no Hail Mary moves left to "block" Biden at this point. But it’d be a mistake to overestimate Trump, especially when it starts sinking in that he’s actually, you know…lost. I fully expect him to lose his shit completely and the best outcome of that is if he just takes a hammer to the Oval Office interior and takes a dump right on the resolute desk.

The more likely option is that he churns up that genius of vindictive pettiness he’s flaunted for so long and spends the rest of his time in office tearing down every mechanism of government Biden is likely to need. I wouldn’t hold it completely unlikely for him to show up to at Biden’s inauguration toting an empty gas canister and a smug grin with the flames coming out of the windows of the white house in the background.

The worst option is that he tries to lever the yes-men he’s put in office in the pentagon to break out the heavy stuff. All he needs to make his last few days a wartime presidency is a drone or missile dropped on whatever center of resistance he deems the worst offender. I wish I could say that in a healthy nation there’s no chance the supreme commander of the armed forces would be able to just order a launch. But even in the best of times I actually can’t hold that as an impossibility.

Anonymous Coward says:

Re: Re: Re: Re:

If Twitter is storing the raw passwords in order to perform such a comparison then everyone on Earth should stop using Twitter. Passwords should always be stored in hashed form (non-reversible) which cannot be compared to an attempted password in that way. I have a hard time believing Twitter actually stores raw passwords.

That One Guy (profile) says:

Re: Re: Re:2 Re:

A fair point that I hadn’t considered, however while admittedly I’m not familiar with the field but I would think that even using that method to keep passwords secret it woulds still be possible to note how different an attempt was from the required input, though again I could be wrong due to lacking knowledge in the field, so if someone wants to step in and clarify how realistic that idea is they’re welcome to.

PaulT (profile) says:

Re: Re: Re: Re:

"Multiple failed password attempts that differ significantly from each other would probably do it."

It really depends on how many attempts are made. IIRC, the suggest here was that it really didn’t take many attempts to guess this password. You also run into the problem where that kind of alerting would naturally reveal some part of the password to people/systems that shouldn’t have any such information – if the password is correctly salted and encrypted on the database, such partial information would make it less secure. A simple total number of guesses might be sufficient, but most sites will simply block further attempts for 30 seconds unless there’s a clear brute force attempt, which would likely need the timeout to be triggered many times, which isn’t clear happened here.

The bigger failure here is, unsurprisingly on the user – it seems that Trump was not using 2FA, so the biggest tool Twitter provides to secure the password was refused by the target.

nasch (profile) says:

Re: Re: Re: Re:

if multiple attempts are made and they are using different words then that’s a pretty good indicator that someone other than the account owner is trying to gain access.

Not really. Lots of people have variations on a few different passwords they use, and they could forget which category of password they used for any particular service.

This comment has been flagged by the community. Click here to show it.

tp (profile) says:

What's the point of publishing the password?

I don’t see what techdirt is advancing with publishing of trump’s password? Trump probably uses the same password in multiple different systems, and now all those systems are hackable by everyone and their cat. Publishing the issue without copy-pasting the actual password is perfectly possible, and I’m dismayed by the lack of ethics in this area. Publishing the password invites teenagers to knock trump’s account door, in violation of existing laws. I would have expected something better from techdirt.

This comment has been deemed insightful by the community.
That One Guy (profile) says:

Re: To show how stupid he was/is?

The only way posting his previous password would allow people to ‘hack’ his accounts would be if he didn’t change it/them, and while it would be entirely in character for him to be stupid enough to not only use the same password after it’s been made public but do so on multiple accounts if that does end up happening that’s kinda on him, as it’s not on those reporting the issue to save him from his own idiocy.

Anonymous Coward says:

Re: What's the point of publishing the password?

"I don’t see what techdirt is advancing with publishing of trump’s password?"

This comment may have had some validity had it been made before several major media outfits ran their stories divulging the same pw. Also the comment wold be more valid if subject pw were not so lame.

This comment has been flagged by the community. Click here to show it.

tp (profile) says:

Re: Re: What's the point of publishing the password?

This comment may have had some validity had it been made before several major media outfits ran their stories divulging the same pw.

Well, some 2 year education on social media studies probably didn’t teach their journalists that publishing all the sentitive information isn’t actually allowed, even if journalist gets his hands on the info via illegal channels.

But techdirt should know better than that.

Anonymous Coward says:

Re: Re: Re: What's the point of publishing the password?

Horse has left the barn, better hurry and close that door.

Is it really the fault of the lowly journalist when discussing the activities at large corporate media outfits? I would think that a large media outlet would employ an editor, possibly a few editors, to ensure the (cough) integrity of their publications.

Better than what?

Anonymous Coward says:

Re: What's the point of publishing the password?

I have to say, considering that you usually lose your shit about copyright not being enforced at a level that involves time travel, this is not the article that I expected you to rear your ugly head on.

I would have expected something better from techdirt

Oh, pull the other one. You expect Pixar to fold over and die so your piss-poor excuse for an animation engine can take the world by storm. You don’t expect anything from Techdirt.

Rico R. (profile) says:

Re: What's the point of publishing the password?

First, the password is so laughably guessable that it would be impossible to convey how laughably guessable the password was without actually saying the password. Second, simply publishing a password with nothing more is not inviting people to attempt to hack Trump’s account. It would be different if Techdirt used language more inducing or inciting people to hack Trump’s Twitter account instead of simply saying, "His password was MAGA2020!" And it should go without saying, but I’d imagine that Techdirt assumes no responsibility for others who try to hack Trump’s account. They shouldn’t have to implicitly say that for them to be in the clear. Indeed, if someone did hack something of Trump’s, or worse, a secure area of the United States, I doubt that "Techdirt gave me the password" would be an excusable defense in court.

PaulT (profile) says:

Re: What's the point of publishing the password?

"I don’t see what techdirt is advancing with publishing of trump’s password?"

A followup on a story where aeveryone was having fun poking at how easily guessed it was, which was reported in every form of media when it happened. This is very old news at this point, and if Trump is still using the same password it’s in the public interest that this is revealed by the BBC and other major news outlets reporting it, as well as the public documents that contain it. TD are not privy to any information would-be hackers don’t already possess.

"Trump probably uses the same password in multiple different systems"

Which, if you were as technically literate as you claim to be in between bouts of us mocking you for not having such knowledge, you’d know is bad practice for anyone, let alone the POTUS’s handling of passwords for systems that he’s using as defacto official government communications.

Hey, I’m glad you’re commenting on something that’s not you pretending that your badly designed software is being discriminated against because your incomprehensible bus ads didn’t work, but you seem to still need to do some basic research in to how the real world works.

tp (profile) says:

Re: Re: What's the point of publishing the password?

you’d know is bad practice for anyone, let alone the POTUS’s

you have any idea how annoying it is to change your passwords on 30 different systems every fucking week when some hackers gets access to the data. EU has GDPR designed to fix this problem and it has 10 million euro fines for companies that let people’s passwords leak to the internet.

Trump’s account is pretty good test case, if that gets hacked and all the followers get spammed for adverticements every fucking week, then it’s clearly time to change the laws to stricter versions.

PaulT (profile) says:

Re: Re: Re: What's the point of publishing the password?

"you have any idea how annoying it is to change your passwords on 30 different systems every fucking week when some hackers gets access to the data"

Significantly less annoying than having to deal with the way your accounts and data may have been used after they were compromised because you were too lazy to use a password manager that generates and tracks secure single use passwords?

I rarely have to change passwords, and when it’s down to a breach of a third party I only have to change the password for the breached service. You know, because I’m not an idiot using the same password for every site without 2FA and hoping that in the time between a breach happening and it being detected and publicly announced that the hackers haven’t already tried the login elsewhere.

"EU has GDPR designed to fix this problem"

Wow, you are dense on any matter of the real world, aren’t you?

No, the GDPR does not do anything to protect you from an external hack, especially not one that’s been caused by you being too lazy to use unique passwords. They are required to notify you if they have has a major breach, and possibly temporarily block the account and force a password reset before the account can be used again, but unless they have any internal failure that caused the hack that’s about it. If you’re reusing passwords, that’s on you.

"Trump’s account is pretty good test case, if that gets hacked and all the followers get spammed for adverticements every fucking week, then it’s clearly time to change the laws to stricter versions."

Nope. Twitter aren’t liable for Trump being a lazy asshole who creates an easy to guess password and refuses to use 2FA. They might be responsible for leaving a hacked account open and spamming other users, but since that didn’t happen here they’re in the clear.

So, again, your arguments depend on fantasies that haven’t happen, and a woeful misunderstanding of reality.

Scary Devil Monastery (profile) says:

Re: Re: Re: What's the point of publishing the password?

"…you have any idea how annoying it is to change your passwords on 30 different systems every fucking week when some hackers gets access to the data…"

This is what keyrings and escrow systems are for. I’m afraid that to date it still isn’t possible to secure very many systems against well motivated hackers. When even the NSA can’t protect themselves it’s a bit rich to claim that’s what we demand from private companies without any reasonable ability to even come close to securing what is often openly available accounts.

"EU has GDPR designed to fix this problem and it has 10 million euro fines for companies that let people’s passwords leak to the internet."

That’s not what the GDPR is for, really. Shoddy as it is the core idea of the GDPR is that it’s supposed to protect consumer rights in general, focused on privacy. What it has is fines for companies leaking personal data in general, and a range of fines depending on the severity of the data leaked.

"Trump’s account is pretty good test case, if that gets hacked and all the followers get spammed for adverticements every fucking week, then it’s clearly time to change the laws to stricter versions."

There is no law capable of protecting against user stupidity. If Trump’s password can be guessed at or resolved by throwing a dictionary attack at it then the only law capable of protecting that password is a law which forbids Trump from using the internet.

I’m not surprised, given your previous posts around here, to find that as usually you have some dumb-as-fuck suggestions to deal with the problem of human stupidity.

Whenever computer security comes up as a topic there is still that golden immutable rule; Out of User-friendly, Not prohibitively expensive, and Secure you can have any two. Never all three.

PaulT (profile) says:

Re: Re: Re:2 What's the point of publishing the password?

"I’m afraid that to date it still isn’t possible to secure very many systems against well motivated hackers."

More to the point – you can’t secure systems against users who have been compromised outside of your system. You can have the greatest security in the world, but if a user just straight up tells someone their password there’s nothing you can do to stop it if there’s no 2FA enabled. If you have 2FA enabled or hardware keys, you’re still not protected against the user who just gives the key to someone. Same thing with shared passwords – there’s nothing you can do if the user has decided to reuse their password somewhere outside of your control.

tp is displaying his usual lack of common sense and desire to blame everyone else for the problems he caused here, but it’s pretty simple – any system is one as secure as the weakest link in its security, and if you decide to reuse a login across so many insecure sites that you’re having to change your password on "30 different systems every week" because you’re so dumb you use the same one everywhere, then YOU are the weak link that’s getting everyone else compromised.

tp (profile) says:

Re: Re: Re:2 What's the point of publishing the password?

If Trump’s password can be guessed at or resolved by throwing a dictionary attack

To run a dictionary attack, you need some way to test if your password attempt is actually a valid password. This test needs to be quick, and if twitter has the standard 30 second delay for the login screens, then the dictionary attack fails to work. Only way for dictionary attack to work would be if the twitter’s password hashes leaked to the internet (or if the leak had plaintext passwords in it, god forbid), but in Trump’s case, dictionary attack simply fails unless there’s a GDPR violation somewhere.

PaulT (profile) says:

Re: Re: Re:3 What's the point of publishing the password?

"This test needs to be quick, and if twitter has the standard 30 second delay for the login screens, then the dictionary attack fails to work"

Not if the target is such a transparent, unimaginative idiot that you know you can supply a dictionary with 10 words in it.

You know what’s a better defence against a dictionary attack? Using a strong password that doesn’t contain a dictionary word, and backing that up with the 2FA option that Twitter provide to you.

"Only way for dictionary attack to work would be if the twitter’s password hashes leaked to the internet"

Say, for example, by using the term that’s been his campaign slogan for 2 elections?

PaulT (profile) says:

Re: Re: Re:5 What's the point of publishing the p

"you can also limit the number of failed password guess attempts to 3."

They do. Unless you’re talking about a permanent account lockout, in which case good luck with the massive number of support calls you just generated from users genuinely trying to log in. Why this is preferable to someone picking a secure password or enabling 2FA is anyone’s guess.

Again, your unfamiliarity with the real world raises its head. You demand not to take responsibility for your own actions and for others to pay a heavy cost when you fail. I’m not exactly sure why an incompetent Finnish coder is so intent on defending the lax security of the head of the US government or why he refuses to obey the most basic security procedures when securing his own property, but it has been noted.

tp (profile) says:

Re: Re: Re:6 What's the point of publishing t

Why an incompetent Finnish coder is so intent on defending the lax security of the head of the US government

The hacking activity already becomes illegal when they first time try to enter guessed passwords to someone elses twitter account. Even "trying" to open the account when you have no permission to do so is illegal activity.

So why are you defending the people who are in a quest that brings them to local jail cell?

If I was the president, I would ask twitter to put a ip-address logging to the president’s account and send the log file to fbi and send the idiots to jail for a while until they learn that passwords are serious business.

PaulT (profile) says:

Re: Re: Re:7 What's the point of publishi

"Even "trying" to open the account when you have no permission to do so is illegal activity."

Yes. So, what does that have to do with your refusal to take basic precautions? Do you also refuse to lock your doors because burglars would be committing a crime when they try to rob you?

"So why are you defending the people who are in a quest that brings them to local jail cell?"

Because you’re hallucinating again. The version of my words that exist in the real world are doing no such thing.

"If I was the president, I would ask twitter to put a ip-address logging to the president’s account and send the log file to fbi and send the idiots to jail for a while until they learn that passwords are serious business."

Well, you apparently can’t read, so you have that as well as your pig ignorance and refusal to do any work in common with Trump.

If you were to read the articles, you’d know that the reason we’re reading this story is because the "hacker" reported what he’d done to the press so that people would know how poor Trump is at basic security, that he’s not a US citizen and that the country that does have jurisdiction over him have already investigated him. So, your demand not only couldn’t work as Trump has no jurisdiction, it would be a meaningless show of force that does nothing that hasn’t already been done. Which strangely enough, is yet another Trumpian idea you share with the orange one.

Maybe next time instead of inventing new ways to announce to the world that you’re a lazy idiot, next time you might find the time to read the article you’re commenting on?

nasch (profile) says:

Re: Re: Re:4 What's the point of publishing the passw

You know what’s a better defence against a dictionary attack? Using a strong password that doesn’t contain a dictionary word, and backing that up with the 2FA option that Twitter provide to you.

Two comments, one is that a long password is even better than one that doesn’t contain words. Easier to remember and just as strong or stronger (insert relevant XKCD). Two, if you have good 2FA the strength of the password isn’t as important anyway.

PaulT (profile) says:

Re: Re: Re:5 What's the point of publishing the p

Well, the simple responses to that are that a random selection of characters is just as good as some words and you should really be using a password manager anyway to avoid the need to try and remember the passwords for hundreds of sites. If for nothing else, because that would naturally lead to you reusing passwords, which basically removes protection for all sites you log in to with that password when one leaks, which won’t happen if you’re using unique passwords. Use the XKCD method to create your master password by all means, but if you’re using it to try and remember passwords for a large number of site, you’ll probably slip up at some point.

As for 2FA, that’s always a good thing, but do remember that it can be bypassed (for example, hackers have been known to use social engineering tricks to get your phone number in order to bypass SMS checks, while email is also error prone. Authenticator apps are better, but not everywhere allows you to use them).

It’s a lot less likely that people are going to be using those tactics than they are to brute force, retry previously leaked logins or use security flaws in the website itself to gain access, but while 2FA is always a great thing to use, it’s not a panacea.

nasch (profile) says:

Re: Re: Re:6 What's the point of publishing t

you should really be using a password manager anyway to avoid the need to try and remember the passwords for hundreds of sites.

Yes, a thousand times yes!

As for 2FA, that’s always a good thing, but do remember that it can be bypassed (for example, hackers have been known to use social engineering tricks to get your phone number in order to bypass SMS checks, while email is also error prone.

Yeah if your only option is email, I don’t think I would even bother. Just set a strong password and use a password manager.

PaulT (profile) says:

Re: Re: Re:7 What's the point of publishi

Nah, 2FA is valuable even if it’s just email as that both presents an extra hurdle for would-be attackers, and increases the chance that you can take action to protect an account under attack before the intruders get any access to your property. You just can’t go around thinking that it will always protect you, especially if you’re reusing passwords or doing something else that weakens your security in another way.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...