Twitter CEO's account got hacked, fell victim to SIM swapping

Twitter CEO Jack Dorsey's own Twitter account was hacked yesterday, allowing the perpetrators to post a total of 17 offensive tweets. The tweets were up for no more than 10 minutes and a little over an hour after the issue was noticed the account was already secure. In a statement, the Company points the finger at the carrier, assuring Twitter systems have not been compromised.

The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.

— Twitter Comms (@TwitterComms) August 31, 2019

The technique used was SIM swapping - a phone number can be migrated by the carrier to a new physical chip, the provision being to be able to keep your number in case you lose or break your SIM card. On the other hand, if you were to successfully deceive customer service (by providing enough data to convince them you're the rightful owner) or have an insider willing to cooperate, you could end up tweeting from Jack Dorsey's account.

The tweets were sent out using Cloudhopper, a company Twitter acquired in the past offering an SMS service by the same name. This would likely mean the hackers had little access to the account other than being able to post tweets via text messages from the phone number linked in the account - so no DMs and no followers lists and such.

Source