The same hacker who breached 500 ISIS accounts on Twitter has a message for President Trump: change your security settings ASAP.
According to a man who identifies himself online as WauchulaGhost, the president, vice president, and first lady are more vulnerable to hackers because of a basic Twitter security setting they’re not using.
WauchulaGhost contacted me about these insecurities on Saturday. I spent the last three days trying to reach the White House for their response to WauchulaGhost’s claims. I sent multiple emails, including several directly to Dan Scavino, Donald Trump’s head of social media.
On Monday night, WauchulaGhost made it more public, tweeting the emails associated with the accounts and the message: “Change your emails & Fix Settings.”
In June, WauchulaGhost made headlines by hacking into pro-ISIS accounts and replacing content with images of porn and gay pride messages. He says he has no interest in hacking the president, but that Trump’s security settings may leave him vulnerable to other hackers.
According to WauchulaGhost, @POTUS, @FLOTUS and @VP are more vulnerable because they haven’t selected a basic security feature on Twitter that requires you to provide a phone number or email address to reset your password. The current security setting for these three accounts allows anyone to click on “forgot password” and type in @FLOTUS, @POTUS or @VP. The next screen says “we found the following information associated with your account” and gives a partially redacted email address to which it will send a password recovery link.
WauchulaGhost says being able to fill in the missing letters and guess someone’s email address is the first step hackers take when trying to breach an account.
“It’s not hard for us to go figure out that email,” he told CNNTech in a Twitter direct message. “I’ve taken over 500 Islamic State accounts.”
WauchulaGhost says he found the likely email associated with Melania Trump’s handle within twenty minutes. He said the email associated with Vice President Mike Pence was easy to guess once you saw the redacted version: email@example.com, which WauchulaGhost pieced together as firstname.lastname@example.org. It has since been changed, but the president and first lady’s email addresses remain the same. (And the VP account still doesn’t have the extra layer of security.)
CNNTech reached out multiple times to the White House and to Scavino to alert them to the lack of security on the accounts.
As of Tuesday morning, we have not received a response.