Twitter and the White House have both denied reports that a Dutch security researcher was able to log into Donald Trump’s infamous Twitter account with the impossibly easy to guess password “MAGA2020!” But it turns out that really did happen, at least according to Dutch prosecutors.
Per the Washington Post, Dutch authorities investigating security researcher Victor Gevers confirmed this week they find his story credible, but have declined to prosecute Gevers because he promptly disclosed the issue. Gevers was one of three Dutch hackers who claimed to have been able to log into @realdonaldtrump in 2016, before the national nightmare of Trump’s term in office began, by simply entering the president’s catchphrase “yourefired”. He additionally claims that in October 2020, he was able to guess Trump’s updated password in just five tries and discovered that the president’s account did not have two-factor authentication or any other security measures in place.
According to the Register, Gevers said that his initial reaction was “Shit. Why! Why him? There goes my weekend,” and he and friends panicked and attempted to notify anyone in the U.S. government or Twitter who would listen, such as the Secret Service, the White House, and the social networking site’s security team.
The prompt disclosure was apparently key to Dutch authorities’ decision Gevers was acting in good faith. Openbaar Ministerie, the Dutch public prosecutor’s office, told the Guardian in a statement, “We believe the hacker has actually penetrated Trump’s Twitter account, but has met the criteria that have been developed in case law to go free as an ethical hacker.”
Gevers is the founder of the GDI.foundation, a network of volunteer security experts that works to identify breaches, weak security, and vulnerabilities, and chair of the Dutch Institute for Vulnerability Disclosure.
According to ThreatPost, Gevers said the U.S. government didn’t acknowledge they had received the disclosure but that he had noticed two days later the president’s account was protected with 2FA. Dutch newspaper De Volkskrant reported Secret Service agents had also visited the researcher in the Netherlands.
Motherboard had strongly contested Gevers’ version of the story, highlighting several alleged inconsistencies in his claim including a mismatched character count in screenshots Gevers said were taken from within the account and recent efforts by Twitter to strengthen security on world leaders’ profiles. Motherboard also argued that Twitter would almost certainly be able to detect such an intrusion.
As numerous publications noted at the time, Gevers is highly respected in the cybersecurity field and making all of this up would be a weird move. It’s also possible that the account wasn’t protected as well as it should have been to enable easier access for campaign staff tweeting on Trump’s behalf.
If the password really was “MAGA2020!”, and Twitter has no record of Gevers’ access, it would be an extraordinary stroke of good luck that he was the only one to stumble upon it—not just because a moderately well-informed toddler could guess it, but because it’s short and simple enough to make it trivial to brute force. More likely, any foreign intelligence services and any other unauthorized password-guessers that may have gained access would have simply kept the secret to themselves to avoid detection or prosecution.
Trump has used Twitter as a convenient way to order policy changes and, on several occasions, the prospect that he would start a war via tweet was the subject of not entirely outlandish speculation. The potential ramifications of someone other than Trump having access to @realdonaldtrump are probably obvious to everyone but Trump.
A Twitter spokesperson denied Dutch authorities’ account of what happened to ThreatPost, writing: “We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today.” The BBC reported the company has “refused” to answer questions about whether it had installed extra security on or kept access logs for Trump’s account.