There’s an extraordinary story in the security world today.
In fact, it’s so extraordinary that I’m also inclined to believe that it cannot possibly be true. But then, this is 2020… and I’m losing all sense of reality, so maybe it is true.
According to Dutch magazine Vrij Nederland (VN), in 2016 three ethical hackers known only as Edwin, Mattijs and Victor, scoured through the password database that had leaked out of LinkedIn a few years before.
In it, they found a hashed password that appeared to belong to one email@example.com. And having managed to extract the password from the hash, they attempted to see if it would unlock the then US Presidential candidate’s Twitter account.
Here’s what happened according to Vrij Nederland, courtesy of Google Translate:
With the program John the Ripper – a tool that hackers use to crack hashes – Mattijs retrieved the password in less than a second: yourefired
Before anyone could say anything, Edwin was tapping.
The password was accepted, as an extra verification step an e-mail address had to be entered.
But that address was wrong.
Edwin nearly fell off his chair. This meant that Trump had not changed his password after the 2013 ‘hack’.
When the three men entered the correct email address for the account (firstname.lastname@example.org) they were – fortunately – blocked from accessing the account. But only because Twitter noticed they were trying to log in from Europe, and Trump himself had lost logged in from New York.
Imagine you were a reality TV star who was well known for a catchphrase. Would you use that catchphrase for your password?
That would clearly be a very silly thing to do. But it’s even worse to use that same weak password in multiple places online.
And there are no words in existence to describe how stupid it would be to be so reckless with your password security if you were in the running to become the next President of the United States of America.
Oh, and it’s not just Trump of course. Let’s not forget that Mark Zuckerberg infamously used the same dumb password (“dadada”) on several of his social media accounts, which hackers were able to exploit in mid-2016.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.