Well, this is scary.
I had [incorrectly] assumed to get a blue check, you had to have 2FA turned on.
Apparently, The president had neither a strong password or 2FA.
^^^ for what it's worth, this doesn't show up in the haveibeenpwned password database.
@0x56 and _you're_ getting a blue checkmark.
Did I miss anyone?
@0x56 I have legal questions here. If his musings via the birdsite are not official then why is the secret service bothering. If they are official then Several things ha has said via the site are likely illegal, right?
@JGNWYRK - you have questions I'm unqualified to answer.
@0x56 understood, but Sometimes I ask the universe things that I don’t expect an answer to.
@0x56 so how many other accounts out there and systems have the same password?
Like his classified accounts and/or government accounts? Banking? Etc?
You just *know* he's the type to use the same password across multiple sites.
@Hobyrim - I'm going to guess his personal email account - although I'd guess his official govt. email is not open to the internet.
@0x56 probably not. But if you were say, a high level Russian or Chinese (or other hostile actor) do you try to see if you can get access?
What about his dormant and/or abandoned accounts that I'm sure some people have compiled over the years? Do you think they go back and try passwords like "You'reFired!" etc to get access to those?
I know we've said the man is a walking security risk, but JFC, he has the same care for infosec as my 80+ y/o grandma.
@Hobyrim - yeah, I'm really still surprised that 2FA wasn't enforced.
@0x56 I am kinda, but also not I'm assuming that lots of different members of his staff and/or family have access to that twitter account, and 2FA would really mess up having an account run by many, especially if someone is forgetful with passwords.
@JGNWYRK I completely expect a lot of people to have tried to access his stuff in the last 24-48 hours.
@0x56 supposedly Twitter denied it ... but ... it's not like they would necessarily fess up to not noticing the president was suddenly logging in from the Netherlands
@serrenity - IDK, it's entirely possible the researcher was using a VPN, so I'm gonna give that one a pass.
@0x56 I mean, yeah if i had taken another 30 seconds to think about it, I would expect a white-hat to be able to easily sidestep twitters automated alerts.
But even if they were justified in missing it, I don't think Twitter is in the space to be like "Whoopsies!"
^^ it's worse than I thought
https://arstechnica.com/tech-policy/2020/10/hacker-says-he-correctly-guessed-trumps-twitter-password-it-was-maga2020