Not that it matters
Once a Trump presidency became a scary reality there have been countless examples of just how inept, broken and dysfunctional of a human being the man was on so many levels. Well you can add password security to his long list of flaws. This story came to me via a podcast I subscribe to, Darknet Diaries which talks about a variety of IT hacking incidents and scenarios. The last three episodes have told a pretty terrifying story of just how clueless and lazy our former Big League leader was/is in terms of password best practices.
Back in 2012 LinkedIn had a data breach that exposed millions of users personal data. Some of that data included password hashes. When the breach was revealed of course LinkedIN eventually notified users and advised them to not only change their password on LinkedIn but also on any other sites that they use the same password on as it was now potentially exposed.
Several years later, in 2016, somebody had cracked a bunch of those password hashes and published it on the internet. A group of ethical hackers in Denmark called the Guild of Grumpy Old Hackers was looking at this data that was released into the wild. They searched for various people and one of those people just happened to be the then presidential candidate, Donald Trump. Donald did indeed have a LinkedIN account at the time of the breach.
So these guys for the heck of it went to Twitter and thought they would try the password that was exposed in the LinkedIN hack on Donald Trump’s Twitter account. Yes the Twitter account that he cherished and bragged about to the world. Imagine the hackers faces when they entered the 2012 LinkedIN password in the @realdonaldtrump sign in page, and it worked…. The guy was using the same password from the 2012 hack, which he surely used elsewhere as well. The cherry on top was just how stupidly simplistic the password was, “yourefired” I kid you not. The ethical hackers after a lot of effort did eventually make US authorities aware of this gaping hole in basic password security and it was addressed. So whew, crisis averted, I am sure Donald learned his lesson, right? Wrong.
Fast forward to October of 2020. This same group of hackers were curious just how secure Trump’s Twitter account was leading up to the election as it had been weaponized to unleash disinformation at a torrid pace. They had heard on the message boards that at Trump rallies they offered free wifi. The password on that wifi was posted as “maga2020!!” So the hackers first tried to verify if the account utilized 2FA (two factor authentication), a pretty standard safety practice present day that requires secondary verification by SMS or email when a logon is detected from a new location. Surely the Twitter account of the president of the USA would have 2FA turned on. It did not.
Once they confirmed 2FA was not on they tried variations on that wifi password that was posted on the internet. It took them only five guesses until they guessed right, “maga2020!” Yes, Trump’s Twitter password was “maga2020!” The hackers were flabbergasted that four years after they found just how insecure Trump’s Twitter was, it still was, with another weak password and no 2FA. They notified authorities and initially were not responded to. They got frustrated and posted news of the breach, leaving out specifics, which finally got them a phone call from the Secret Service. Trump, reacted as you would expect. An inquiry by the Dutch authorities, surely pushed for by the Trump administration, was launched against the Grumpy Hackers who have documented over 5000 ethical hacking cases where they find vulnerabilities and report them so they can be fixed instead of exploited. The investigation found the Grumps innocent of wrong doing, thankfully.
As I began with, unless you are a MAGA worshiping cultist, you already knew the level of incompetence that was circling around the White House for the last four years. However I am thankful that we have groups like the Grumpy Old Hackers to protect us from lazy, sloppy, ignorant, yet powerful individuals that don’t know/care enough to do the basics to help prevent a cybersecurity breach.