@POTUS and Other White Houses Twitter Accounts Insecurely Tied to Gmail Addresses
The security of the White House’s social media accounts became a topic of conversation on Thursday. First, on consecutive days, White House Press Secretary Sean Spicer tweeted strings of letters and numbers that some speculated could be a password:
That both tweets (which were quickly deleted) were eight characters long, a somewhat standard password length (though Twitter’s minimum is six) helped fuel the speculation. Other theories included that it was a two factor authentication code or that it was a pocket/butt tweet. Regardless, it generated some interest in the security of the most powerful Twitter accounts in the world.
Both CNN and The Intercept report that various White House accounts as well as the personal accounts of various staff were not secured as well as they should be. Specifically, on several accounts, including the president’s official @POTUS account, a critical security setting was not turned on, one that requires the account’s email address or phone number to be entered to start the password reset process. Without that box checked off, anyone can start the process, which then shows a partially redacted version of the account email address and thus makes the account more vulnerable to hacking.
From there, it was discovered that @POTUS was tied to a regular Gmail account. From the redacted email provided at the time, it appeared to be that of Dan Scavino, Trump’s head of social media. If someone was able to find a way to get Scavino’s Gmail password, then they would have had the ability to tweet as the President of the United States. It was a phishing email sent to the Gmail account of Hillary Clinton aide John Podesta that led to his account being compromised last year and his emails posted on Wikileaks.
As of this writing, the email address on the account have since been changed to what appears to be two different White House emails, but the extra security layer is still not checked off. However, Trump’s personal/business account, @realDonaldTrump, does in fact have the extra security layer turned on:
Have a tip we should know? firstname.lastname@example.org