Remember when Donald Trump had a Twitter account? He actually had to for a while. One called at POTUS and the other called at Real Donald Trump, and he used his personal one a lot while he was president. I'm picking up now. I think I picked up yesterday 100,000 people. It's a modern form of communication.
Of course, that was before his account got banned. He sent thousands of tweets while in office. He had over 80 million followers, and that put him as the seventh on the list of the most followed Twitter accounts sandwiched between Lady Gaga and Taylor Swift. But he's tweeted tens of thousands of times more than both of them, and he tweets more than anyone in the top 10. Twitter was his mouthpiece for so many things.
Secretary of State Rex Tillerson learned he was fired at the same time the rest of the world did on Twitter. The president issuing this tweet suggesting that he is ready to leave Walter Reed this evening. He's feeling much better and ready to go back to the White House. The president has a habit when he sees his advisors and cabinet secretaries even saying something in public that he doesn't like. He has a habit of rebuking them over Twitter.
Social media is the way to go. I've got over 100 million people watching, and social media to me is the way to go. It's a fast way of getting the word out.
With all that power and influence, I sure hope he practices good security so that his Twitter account doesn't get hacked, especially after saying things like this.
That statement is actually pretty ironic because Trump's Twitter account was hacked into three times that we know of. And in this episode, we'll hear from the guys behind one of those hacks. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.
The first time that we know of Trump's Twitter account getting hacked was in 2013. Someone got in and tweeted out some little Wayne lyrics. They posted, quote, these hoes think they classy. Well, that's the class I'm skipping, end quote. Within minutes it was deleted and then Trump tweeted, my Twitter has been seriously hacked and we're looking into the perpetrators.
As far as I know, they never caught the person who did that. Keep in mind that was 2013, long before Trump even began running for president. So maybe securing his account wasn't the highest priority at the time, since he wasn't president. But he would think a self-proclaimed billionaire would take his digital security seriously. Well, maybe he didn't.
And this all reminds me of another person who got their account hacked into a woman who was also running in a presidential election. She got her emails hacked into. And no, not those emails. I'm talking about Sarah Palin. She was running for Vice President in 2008 and got her Yahoo account hacked into.
How, though? Russian hackers, you guess? No, it was a 20-year-old guy on 4chan. Her email address was gov.pailin at yahoo.com, which was not that hard to figure out. So he went to Yahoo and typed in her email address. Then he clicked, I forgot my password. Yahoo said, okay, no problem. Just answer these questions and we'll reset your password. Question number one. What is your birth date? Well, the hacker just went to Wikipedia and found that right away. Yahoo's website said, okay, great. One more question. What high school did you go to?
Well, Sarah Palin was not shy about talking about her hometown of Wasilla, Alaska on TV in so many interviews. So practically everyone knew she graduated from Wasilla High School. But besides that, it was also listed on her Wikipedia page too.
After the hacker typed that in bingo, Yahoo let him reset the password and he was able to get into her account and see her emails. The hacker posted screenshots of emails to 4chan and he caused her riot in the media. He was later arrested and sentenced to one and a half years in prison for gaining unauthorized access to Sarah Palin's account.
Sadly, the hacker who did this, David Colonel, was diagnosed with multiple sclerosis and died in 2018 at 30 years old. But this raises my first ethical question. Personal, identifiable information or PII is the stuff the public isn't supposed to know about. Your birth date and where you went to high school shouldn't be just sitting out there in the public. But Sarah Palin's PII is right there on Wikipedia.
So the question is, if I go on to Wikipedia and look at this, would you say I committed identity theft?
Well, the judge said, yes, this hacker did commit identity theft by using the information that was posted on Wikipedia. But anyway, back to Trump. The second time his Twitter account got hacked was in 2016, the year he was running for president, and it was done by some grumpy old hackers. Okay, I'll click it one more time. Ah, it's working now. Yes, it's recorded. Yeah. Geez.
How many hackers should take to click on one button, right? Yeah. I called up the three guys that in 2016 hacked Donald Trump's Twitter account. They're Dutch and part of a hacking club in the Netherlands. And so collectively you're called what? The guilt of the grumpy old hackers. Because we are grumpy. We're grumpy and old. Very grumpy and old. And not as old as happening.
Thank you. So the grumpy old hackers are a few friends that are also IT professionals. Edwin, who I met at DEF CON once, has gray hair and a big gray beard. He seems like an elder statesman to me. I'm Edwin, I'm old, I'm like almost 50.
Hack since I was a kid, started on old computers. My dad brought in, grew up from there, met a lot of hackers around the world in the years after. And the thing I love is combining all the hackers together. So we are also the guild of the grumpies. It's like a combination of mostly elderly hackers just having fun and trying to do stuff, which is always on the edge because that's mostly the fun there is.
Also on the call is Matt. My name is Matt and I spent a 20-year professional computer security career both on the offensive and as well as the defensive side and I developed a special interest in process automation and industrial systems. So I've been taken with a lot of nice devices over the years and found several vulnerabilities in that.
Then there's Victor. So my name is Victor. I'm a security researcher. I've been doing responsible disclosures. So I like to find problems, vulnerabilities, cooperation errors in systems and then try to track the owner of the system or the organization and then notify them. It'll grow from a little hobby and almost an entire day job.
Victor works with the Dutch Institute of Vulnerability Disclosure, something Edwin and Matt help out with, too. Together, they like to find vulnerabilities and things and report that to the people who can fix them. Someone once described these guys as... The guys who inform you that your zipper is open just before you go on stage, you know? That's basically us. We whisper in your ear, sorry, man, your password is out there. That's the idea. We try to help people.
Yeah, we don't need people to be embarrassed or whatever, and we love finding stuff. We love finding leaks in systems, in servers, indoors, in lock-baking stuff. We love all those puzzles. That's for us. And if we find something, yeah, we will tell you about it. The grumps find problems. And then tell whoever's in charge of that and get them to fix it. And maybe they'll respond by saying thank you, because they want stuff to get fixed so the internet can be a safer place.
Another important thing that the grumps do, which Edwin is known most for, is mentoring the next generation of hackers, especially those that could get into trouble with the law, or already have. They work with HackRight, a Dutch law enforcement program that helps put young offenders back on track. The goal is to recalibrate their skills for ethical hacking. We see a lot of kids who go in the wrong side when they, for instance, find a database of credit card information or something.
and try to tell people about it, and when we hear about it, we try to steer them in the right direction, so do a vulnerability disclosure to the company. Like if you stumble onto a database, don't sell it on the dark web. Instead, let that company know that there's a problem with their security and keep it between you and them.
And that's the grumpy way. But the grumpy way and ethical hacking can have some gray areas. Here's a question for you, my listener. Suppose these grumpy hackers find your password out there. Should they test it first to see if it's valid before telling you it's out there? Or just tell you that they found it.
Or here's another one. Should they test it on other accounts that you also have too, to let you know that, hey, not only did we find your password, but we know for sure it works on these four accounts. It seems wrong for them to test all this, right? I mean, how dare they try my password on all these accounts?
But let's remember what their intention is. It's to help people be more secure. They just want to do it in a responsible way. And so I just wonder if it's possible to trespass responsibly?
Yes, there are bug bounty programs out there that openly say if you can hack me, we'll give you a reward. But what about all the places out there that don't have bug bounty programs? Do you have a bug bounty program for your own person life? A lot of places don't because either they can't afford it or it's like a school or charity or they don't even know that's a thing.
And if you try to email a charity and ask them, hey, would you like a free penetration test? Chances are they'll tell you to take a hike. I suppose there's an argument that could depend on who you're trying to hack, too, if it's somewhat important, like the president. It might be good to test their security for the good of democracy. That's an ethical dilemma, which the grumpy old hackers were facing back in 2016.
It all started when they got together and went to a security conference. We were at a conference called BrewCon in Belgium. BrewCon is an annual meetup for hackers and security professionals. Now, shenanigans certainly happen at these kind of gatherings. In fact, when you go to a security conference like this, you'll see tables of people all sitting around using their computers obsessively.
not going to any talks or workshops, just using their computer like the whole time. And it's kind of weird at first, like, isn't a conference supposed to be for socializing and getting to know others? Why are people just huddling around their computer, seemingly isolating themselves from the whole event? Well, there's a lot of reasons. Sometimes there's hacking contests going on. You just need a place to work on it. And sometimes people are learning new hacking methods and testing them out and teaching each other. Sometimes people are up to no good and just try to hack the hackers.
Edwin, Victor, and Matt all head up to their hotel room after the conference to chill out and unwind for the day. But during that day, Edwin got access to the LinkedIn database from 2012. If you're unfamiliar with this, check out the episode just before this one. Basically, back in 2012, LinkedIn's website was breached and over 100 million emails and passwords were stolen. The database was sold on the dark web for a while, but kept mostly hidden. But in 2016, the database started making its way around the internet.
getting passed around freely, so for the first time security researchers were seeing exactly what was in the database dump. And that's when Edwin saw a link on Facebook, which was the LinkedIn database. And he downloaded the over 100 million user details and showed it to Matt and Victor. And together, in their hotel room, that night, they explored what was there.
We would never buy a database. We don't do stuff like that. But now it's available for free. So we can download it and we can look at it. And yeah, that's what we did.
It was the evening of October 27th, just about a week before the 2016 U.S. presidential election. Sitting around in a hotel room, the grumpy old hackers started looking through the database. At first, they were just looking around for their own names to see if it was in this database and if the password was cracked or accurate or what.
Then they started looking for other people they knew. We saw a lot of people we know in there, so we tried to warn them, call them, send them messages, you know, your password is in there, change it immediately if you don't, etc, etc.
Okay, so the data stolen from the LinkedIn breach was usernames, email addresses, and SHA-1 hashed passwords. Now, hashed passwords aren't passwords. It's what the password looks like after it goes through an algorithm. It takes some footwork to figure out what these passwords were. Unfortunately, LinkedIn wasn't salting their passwords, which is a way to make cracking passwords harder. So someone tried their best at cracking the 100 million credentials in this breach. And some reports say that they were able to crack 60% of the passwords.
The document that Edwin downloaded from Facebook simply contained the email address and the cracked, clear text password. So if they were to look in this database for their friend's name and there was a hit, they would see that friend's password that they were using on LinkedIn in 2012, four years earlier than this. And as you might have guessed, many users weren't picking strong passwords. Over 700,000 users just had the password one, two, three, four, five, six.
And 170,000 people just had LinkedIn as their LinkedIn password. And of course, the third most popular password was just password. Those are bad passwords. And these grumpy geeks were taking upon themselves to educate everyone they knew about what they were seeing in this database dump.
So they sent out emails to friends and families showing them that their password from four years ago is now visible for everyone in the world. Because if they were using that password anywhere else, it should also be changed. And they expanded their search to just people they knew of.
We did it to just warn the people we know, and there were a lot of people from government, the Netherlands, in there, from police, and a lot of big companies were in there, and we just tried to warn them. The messaging was like this. Hey, look, we see your email and password is in the LinkedIn database dump, which is getting passed around freely now. If you have any login accounts which use this same password, it's a good idea to change it. Victor says people were glad to hear from him.
Most were very grateful because credential stuffing was not such a big topic in 2016, but it was going on. And the problem with passwords is that even though we know that we should take good passwords and we should have good password hygiene in 2016, no one was actually practicing it. If you look at the entire data base and the passwords that contain is very clear. Almost no one had a good password.
Victor says they dug around the database and reached out to people for hours. And after that, they were wrapping up and picking a place to go eat dinner. But then... Donald Trump passed on the television because it was, of course, it was a election year and it was just on the television. So that was the cue for my ties. If he's in there, you know, how many trumps are in there anyway.
Matt checked for Donald Trump in the LinkedIn database.
Okay, so they grabbed or searched this text file for anything that matched Trump.com. And there were a lot of hits. The first name on the list was an employee at marina.Trump.com. This was a casino that Donald Trump owns in New Jersey, but it racked up more debts than profits and Trump sold it in 2011 for a significant loss. The next hit was for a person with a plaza.Trump.com email address.
The Trump Plaza was another casino in New Jersey that totally closed down due to losses, leaving 1,300 employees out of work. Then there were a lot of hits in the database for Taj.Trump.com. Once again, this was for employees who worked at Trump's Taj Mahal, another casino in New Jersey.
And what's interesting about that casino is that it was found guilty of money laundering and fined by the government and was the highest fined ever levied by the US government against a casino. And yeah, that casino was also shut down. But the Hard Rock Cafe bought it and remodeled it and reopened it.
And so there were a lot of names in this database who worked at defunct Trump casinos. But as they kept scrolling through, they found the Donald. In the LinkedIn database, standing there in the crowd was an email address, DonaldTrumpAtTrump.com. This was Donald's email address they immediately looked at his password.
The password was already correct, that one. But, yeah, it was so obvious, so we thought, yeah, this cannot be true. Trump's password was so blatantly simple. It left them kind of giddy and disbelief. And then I probably said, what's his password? Ah, you're never gonna, you're never gonna guess. It's your fires. What?
Trump's LinkedIn password in 2012 was, you're fired. All lowercase, no spaces, no special characters. You're fired was the catchphrase he used on his reality TV show, The Apprentice. Jennifer, this is really easy. You're fired. Chris, you're fired. Maria, you're fired. You're fired. You're fired. You're fired.
It became a very popular thing for him to say on the show, so it was shocking to these grumpy hackers to see such an obvious and basic password that he was using to get into LinkedIn in 2012. No, at first I questioned whether Donald Trump even had a LinkedIn account in 2012, because I just can't even imagine a billionaire caring about having an account on LinkedIn.
I just went there and typed in a bunch of billionaire names and most don't have accounts there. People go unlinked in to network and to look for jobs. Donald Trump doesn't need to network or look for jobs, but this account was his. And he also had a Twitter account and Facebook account at the time. So maybe he was just interested in social media and wanted accounts in top places like everyone else had. I mean Obama had an account unlinked in at the same time too.
Now his credentials could have been simple for a couple of reasons. To start, I'm guessing that Trump isn't all that tech savvy, and he's very busy. So he probably didn't even set up his own LinkedIn account. He probably didn't huddle over his computer for hours, like everyone else, writing out a description of himself and his accomplishments and following all his friends. So it's possible that whoever set this account up just wanted to give him an easy password that he'll remember.
Or maybe multiple people needed access to his account because they're social media managers. They've managed his account for him, so they just picked an easy to remember password. And in 2012, it wasn't easy to share long, complex passwords securely. Nonetheless, for a celebrity self-proclaimed billionaire, this was bad practice. This left the grumps wondering just how poor Trump's password hygiene was. He wouldn't reuse this same password on other accounts, would he?
And definitely not four years later, right? We were just joking around, but would he be so stupid to reuse his password for his Twitter account? No, that cannot be true. If it were true, it would be straightforward for the grumps to log into Trump's Twitter account. They, like everyone else, knew the correct username at Real Donald Trump, and now they had a password to try. So the group started thinking about what they could do with Trump's password.
I just typed it in while the other guys were still mesmerized. And then they said, maybe we should try it. And I think Victor even said, no, that's dangerous. Don't do it. Yeah, don't do it. And then I said, like, uh-oh. Too late.
Edwin was just too curious. He went straight away to Twitter.com, typed in the username, real Donald Trump, and typed in the password, you're fired. And it worked to a degree. Twitter didn't just let him in right away, but it also didn't say incorrect password. Instead, it asked Edwin to confirm the email address for the account. So we got the extra check for his email address.
But at that time, you of course, hey, the password is correct. It's true. The fact that they got asked to confirm the email means the password was correct. Donald Trump was still using your fired as his Twitter password in 2016 while he was running for president just weeks before the election.
The email check was an extra layer of security since the attempt came from a hotel room in Belgium, not wherever the real Donald Trump was. Twitter's website did this extra check to make sure the login was valid. But this was an incredible moment. Trump's years old ridiculous password was still valid, but the grumps quickly shook off their disbelief because they realized they had a new problem. Matt says Edwin hadn't done anything to cover his tracks.
If it not had been correct, we would have moved on. But now, you know, okay, we logged in with the correct password. What will happen? We didn't use any VPN or anything, so it would trace back to the hotel and eventually to us. But have they done anything wrong yet? They didn't fully log in. They just tried one password one time to see if it was valid and it worked. To them, it didn't matter because their fingerprints were now on Trump's Twitter account.
Imagine, if you log in with another password, what would happen if someone else would do the same and he would pursue and would do some nasty things? The first race would be to us, so we would be screwed.
We needed to have this fixed as fast as possible." Aha, interesting. Sticks were suddenly raised. If something went bad with Trump's Twitter account, they could wind up being blamed. Looking at the logs in Twitter, they would see that Edwin successfully logged into his account, and this could come back to bite him, which could lead to legal repercussions.
We were in panic, of course, and then we discussed, okay, we should go on because otherwise we might be in trouble. Going on meant logging into Trump's Twitter account all the way, but sticking with the Grump's own ethical standards by submitting a responsible disclosure to Trump. Essentially, they'd be doing Trump a favor by showing how easy it is to access his account. So stay with us because after the break, they go all in.
Grumpy old hackers were determined to hack into Trump's Twitter account. Victor, who's found thousands of vulnerabilities, says a responsible disclosure is only good if the hack actually works. When you engage with a target or an investigation and you start your engagement, after that, if you don't use VPN or any other protective measures to hide your identity, then you have to go through. And the problem is you cannot contact Donald Trump and say, hey, we found your password in this database.
So now their dinner plans were canceled. They were on a mission to find the email address connected to Trump's Twitter account and hack into his account.
The email tied to his LinkedIn account was Donald Trump at Trump.com, so they tried that. But it didn't work.
So what else could it be? They started doing some OSINT, open-source intelligence gathering, to try to figure out what other email addresses he uses. And they were able to find a few other email addresses. They didn't want to try to brute force this, like just trying one email address after another until they got in, because that would be sloppy and possibly trigger some alerts.
If you start attacking Twitter, then then you come to a very gray area that we abridged too far for us. We acted on OSINT, we acted on publicly available information, and the only thing that we had to do was to bypass that last hurdle to make the report valuable for Donald Trump.
So, they took their eyes off Twitter for a moment and started poking at the Trump.com domain. They also found another domain, DonaldJTrump.com. They wanted to figure out all the valid email addresses that existed with these domains. So, we had to enumerate it, we had to find which new email address he was using. So, we used S&P enumeration on these domains or the email domains. So, that's what SMTP enumeration is.
SMTP is the email protocol and enumeration just means you're trying to count how many there are and step through all of them one by one. So this is a fancy way of saying they wanted to find all the valid email addresses associated with Trump's domains. Now SMTP or email works over port 25. So one way to do this is to connect to DonaldJTrump.com on port 25 and you can verify if an email is valid by using the vrfi command, which is verify.
to connect and then say verify Jack at Donald Day Trump dot com. And if that's a valid email, it'll say, yep, that's valid or nope, that email address doesn't exist here. So one way they can enumerate this is just to pick a whole bunch of random names or words and then type them in over and over and over until they have a nice list of email addresses.
But there's a tool that can speed things along. It's called Metasploit. And Metasploit can do a lot of things. It's a hacking framework. But one thing it can do is SMTP enumeration, which does the exact same thing as I just explained. But it uses a big word list to try thousands of names and words to try to find all the valid email addresses on that domain. So it'll try Adam, Bob, Chris, David, and so on. And when it's done, it'll just tell you what email addresses are valid. So they begin the process.
Asking the DonaldJTrump.com mail server, what are the valid email addresses? One by one.
The biggest rate limiting was actually the hotel's Wi-Fi, the internet connection. Because like every five, six minutes, I get kicked out and you had to reconnect and sometimes the reconnection didn't work. So imagine that you want to do an enumeration or you want to do some tests online to see if those emails are working, you have a very bad internet connection. I think that was for us the limiting factor.
Oh man, that's frustrating. They're trying to help save the president's Twitter account here, but they have crappy Wi-Fi and it's slowing them down. My guess is that since it was at a hacking conference that the hackers in another hotel room were just attacking the hotel Wi-Fi. But after a few hours of enumerating the mail server, they looked at a list of passwords and one jumped off the page at them. It was Twitter at DonaldJTrump.com.
This looked like it had the potential of being the email address tied to real Donald Trump's Twitter account. It took a little time. You go through the procedures that we already know. We know how to enumerate emails. We know how to validate them online. So that part of the process was okay. The big unknown was how is Twitter security working?
Because once again, this is not the normal work that I do. I hunt for open databases. I'm not into breaking into security systems. So from, yeah, it took us three some time to figure out, okay, why he got the challenge on the mobile phone when I tried to log in? What was doing there?
Yeah, that was Twitter's security policy for logins. If Donald Trump had an active login in New York and then another one came in from Belgium, would Twitter care and flag this as bad? Also, what kind of phone was Trump logged into Twitter with? Did Twitter know that too and consider it at all when a new person logged in as Donald Trump? And if these things are taken into account, how hard is it to impersonate the same phone as Trump and look like you're coming from the same geographical region as Trump?
This was now part of the challenge. You have to start messing with your user agent because you know that he's using a very old Android phone, insecure Android phone. In 2017, Trump switched to using iPhone, but Android Central deduced that in 2016, Trump was using the Samsung Galaxy S3. And that phone originally came out in 2012 and got its last software update in 2015. So yeah, in addition to Trump's poor passwords, his phone was also a security risk.
But the grumps weren't interested in hacking this phone. They just needed to mimic it. So they switched their user agent to look like Trump's Samsung S3. Then there was one more step. You have to find out how this geofencing part of Twitter works. How does it know which is the real user based on geolocation and maybe device or something else?
The grumps needed to look like they were somewhere where Trump would normally sign in from. So they used an open HTTP proxy in New York to route their traffic through that to log into Twitter. These hurdles had taken some time, but they felt like they had everything figured out now. And all those steps that took a good one hour, two hours, I think, approximately to get there. I remember I was bored at some point already. It took some time.
You took a nap for a while. Yeah, I'm the lazy one of the trees, so I find something, I make a mess, and then they start fixing it. Well, every one of the roll rides, okay.
At this point, they just ordered dinner up to the room, and they'd been hacking through the wee hours of the morning. But now they were ready. They had tweaked the user agent to mimic a Samsung Galaxy S3. Their traffic was now coming through New York, and they had a username, real Donald Trump, the password, your fired, and email address, Twitter at DonaldJTrump.com. They typed it all in, hit enter, and they were in.
I want to know that feeling of like hitting Enter and it says, welcome to your account. I can describe the feeling is always the same. We are doing this work for more than 20 years. Getting access to a system even today gives the same, you know, like, ooh, nice, you know, it worked. You sold the problem. Wow, we're in. Yeah, wow, we're in. Yeah. We sold the puzzle. We sold the puzzle.
They had full access to real Donald Trump's Twitter account. If they wanted, they could post as him or read his direct messages. They could even change his password and email if they wanted. Surely if that happened, Twitter would recover it. But this is the level of access they now had. They owned Trump's Twitter account. They cleared the biggest obstacle. And hindsight being 2020, it didn't seem that hard to pull off.
The Grumps had a mishap, and in a matter of hours, figured out Trump's credentials and tricked Twitter. And now that the hack was complete, they could file a comprehensive, coordinated disclosure with Trump. And that would theoretically protect them from legal trouble. Here's Victor.
and now comes the responsible task of documenting everything, writing the responsible disclosure email, explaining to someone with hardly no experience with computers or security, explaining what the issue is, what it can do about it, what has to be checked, what has to be changed. You cannot say, hey, this is your password, everyone can log in. Goodbye, because that's not very helpful.
You know, you need to, if you write a report, you have to explain what the issue is, how it can be, you know, prevented, and some extra tips, you know, for making sure that it happens again. There were some clear things Trump could do better. He could use a longer, more complex password with special characters, and of course, turn two factor authentication on.
the things that we described, they're technically not so difficult. And you can imagine that in those times, state sponsored actors were, of course, already busy trying to get access to God knows what systems. So actually, I think we were just in time finding this because it could have been anyone else in that time period, we'll find the same way in and do something not so pleasant with that account.
The grumps could have been those bad actors, but that was never their intent. They didn't look at any private messages. They didn't post any tweets. In the end, they only took screenshots to prove they got in. Going further, Victor says that's a no-go area. That's why we teach the young hackers, you know, please, if you do things like this, logging in to an account from someone without their permission is already a very gray area. That must be a very
very good reason to do that, to cross that border. For us, that was a good reason because, well, his Twitter account is at risk. The risk that someone else would do it is very unlikely there. So to make the report strong enough, available enough for Trump to do something with it, we had to go that far.
Victor says going this far to get into someone's account was something they'd normally advise against. Trying to log into Trump's Twitter account was an unusual situation, even by the grumpy standards. The payout, though, was that they discovered the person running for the US presidency had a vulnerable Twitter account, and they were going to help make it more secure.
The grumps put their findings and suggestions into an email and sent it over to Trump. In the email, they explained step by step how they got access to the Twitter account with screenshots of everything. And they even suggested a more secure password, which was exclamation point, I will make America great again in 2016 exclamation point. They cc'd the Department of Homeland Security and the US computer emergency readiness team or cert in case Trump ignored them. And on all these emails, they signed it as the guild of the grumpy old hackers.
with all three of their full names. They weren't eager to hear something back, but it's stressful when you send an email like this, essentially saying that you hacked into someone's stuff, because you don't know what the reaction will be from it. You're hoping that you get an email back immediately, thanking you for pointing out this glaring problem, and that will dress it right away, but whatever hope they had for immediate gratification didn't pan out. No one was getting back to them. Edwin says they forwarded the report to the other,
email address that they found earlier. A couple of hours later when we had no response we sent them to campaign at Donald Trump and some other emails we found and that's good for us because in the end it turned out evidence was of course hard and we got a bounce back from one of the email addresses. So that was good for us because you need to you know you can say that you sent an email but if you have a bounce at least back from one of those email addresses that's always nice to have.
They felt like this bounced email was there one shred of proof that they tried to do the right thing. But even still, they're concerned that cert didn't write back yet. They dealt with them before and knew the routine. That says things were different this time around. Normally you get a ticket number. At this time, we got our responsibility. That's where we started sweating. That's what we got a bit scared.
Like, why don't we get responses? Is it because you assert, says, okay, he's not a president yet, he's an individual, we don't do anything about it?
Or is it because we already know that this is his password for three years and we actively using it so shit, why did these guys find it? You know, all things got to your head, you done that. Jokes aside, the next day, there's still no answer from anyone and their minds were racing. They were almost freaking out. It didn't help that they thought Trump was a vindictive person.
We were getting more and more anxious because, yeah, we did know we know he's eventual, so we were a bit scared. Victor points out the situation was a result of an unfortunate coincidence. They had it planned to hack Trump. It just sort of happened.
And the past would have been looked different if, for example, if Mark Zuckerberg would be on the television at that moment, we should have looked for Zuckerberg. We could have missed this completely. It was just random. It had to be like that. It also had to be like him. I don't know why. As Edwin puts it, if Trump was better with his passwords, they wouldn't be in this mess.
And it's still stupid because I think he was already hacked on Twitter in 2013. Well, probably he had the same password. So he must have changed it then. And why is it now, again, in 2016, the same password? Is it coincidence? Did he just do that because he was in campaign and somebody else needed to go to his Twitter account? Or is he so lazy that the new password he had was too difficult? So he put it back to his whole bond, you never know.
The next day impatient from the lack of response from people in the U.S. They reached out to the Dutch National Cybersecurity Center. They worked with the NCSC in the past and knew they had contacts with U.S. agencies. From them we got a response and they said that they would check it up.
And from there on, we had an active conversation with them and they send us emails, I think every five, six hours or something. Yeah, we send it. We're trying to reach people in the US. We're trying to reach our liaisons at the homeland, etc., etc. Finally, about a week after they hacked Trump, they got a response that they were waiting for.
We finally got a email back from the Dutch government saying it's been addressed, we don't know how, but we got word from our US counterparts that it's addressed so for us it's case closed and then it was case closed for us as well and that's the last thing we hear.
So Victor sent his responsible disclosure emails on October 28th, 2016. It was November 2nd when the U.S. cert confirmed that they were taking action on this. The election was to be held on November 9th, less than a week away. None November 6th, The New York Times reported that Trump's campaign aides revoked Trump's Twitter access.
They didn't say why or how. Only that Trump no longer could use Twitter. My theory was that it was because of this hack. For us, the big reward was when we saw Obama about a week later talking about the fact that Trump's Twitter was taken away from him.
And then we were immediately thinking that it was us. We don't know. This did actually happen at a rally in Florida. Obama was campaigning for Hillary on November 6th and saw this news and had this to say. Now, you may have heard that this was just announced. I just read it. So I can't confirm it's true. But apparently his campaign has taken away his Twitter. In the last two days,
They had so little confidence in his self control. They said, we're just going to take away your Twitter. Now, if if somebody can't handle a Twitter account, they can't handle the nuclear code.
it sounds like it was from you guys probably but we don't know for sure there are of course a lot of people who don't believe this story you know and for us to see Obama laughing about it on TV and telling him that if you can't handle Twitter you can't handle nuclear codes yeah for us that was a bit of a
They never did hear anything from Trump or the U.S. cert directly from this event. They didn't hear anything from Twitter either. Victor had some suggestions for Twitter about this.
He tweeted that verified Twitter accounts should have better security. We start asking also to Twitter, please, you know, for verified accounts or for US officials that are, you know, running an election. Those Twitter accounts need to be protected standard with two fact authentication, you know, and other things. Other things like password reset protection. Edwin agrees that influential accounts need good security.
People with a blue checkmark on the box are people that a lot of people listen to or look up to so if their account got hacked and it's been used for misinformation or whatever, it shouldn't be possible so you must enforce some stricter security on those accounts if you can.
That's what it's all about for the grumps. Securing the internet to block digital abuse, they'll never really know if Twitter specifically responded to the Trump hack or took heed to Victor's tweets. It's just been a one-way conversation so far. There's always old men shouting at the clouds, grumpy old men. Yeah, grumpy old people shouting at the cloud. And sometimes it works. There's one thing you need to understand. If you do responsible disclosures on this kind of level,
It is very common that they will use your signal or they will see your notification and they will do something about it and they will not mention you.
Leading up to the 2020 US election, Twitter said in a September blog post that they were now forcing election-related accounts with weak passwords to switch to stronger ones. This meant at least 10 characters and a mix of letters and symbols. Twitter also made password reset protection a default setting. This meant that a password reset would require someone to confirm the account's email or phone number.
And they encouraged, but didn't actually require two-factor authentication leading up to the 2020 presidential election. I think it's a good thing that Twitter made their security levels a little bit higher, protecting the people that are now running for the elections. It's a good thing. It sometimes takes a little bit time for organizations to adapt or, you know, to make it better and more secure for the users. But overall, it will happen.
Whether you're the average user or the president of the United States, you don't have to wait for Twitter or anyone else to do something more. You can turn on two-factor authentication and use a strong password now. The Grumps hack of Trump started out by accident, but the relative ease at which they pulled it off is amazing and alarming. Someone with worse intentions could have replicated their methods.
But fortunately, the grumps got there first. In the end, they helped secure a presidential candidate's vulnerable account, these before an election. To the grumps, that was worth it. People don't believe that we did it, don't believe that Trump's boss was your fire. Well, we've got the evidence, we've got, you know, we showed it and we were in his Twitter account a couple of days before the election.
I think, I think, you know, if you read the email, it's very clear. It's going to be helpful just to prevent other people to do something bad with it. And I think we did the right thing. Did they do the right thing, though? Was this really ethical? Trump did not give them permission. So that did cross a line. But then their intentions mattered. And their intentions were to contact the proper authorities to resolve this privately and as quickly as possible.
They clearly stood out in the open and took credit for this. They didn't try to hide from anything or anyone. And I guess part of the reason they never got in any trouble was because they were transparent and reported everything they had done in their disclosure.
I've met Edwin in person, in Las Vegas in 2019. All these guys had their real names and contact information all over the reports they submitted. And because they've been in the US since then, it would have been easy for them to be arrested if they were actually criminals. But nobody did arrest them. Which tells me they did do the right thing.
I want to turn around and take one last look at what happened here. LinkedIn was breached in 2012. The database dump was posted publicly for anyone in 2016. And that's where Trump's password was. But the first time Trump's Twitter was hacked was in 2013, a year after the LinkedIn breach. So I just wonder if someone saw his password in that breach and that's how they logged into Twitter then. And if so, why didn't he change his password in 2013?
But either way, this is just the story of one person who was hacked due to the LinkedIn database dump. I know for certain there were other people who were victims too. I mean, there were millions of people in that database dump. And most of their stories probably didn't have happy endings. Like how many people also had PayPal logins with the same email address and password. It's nice that the guild of the grumpy old hackers were willing to help.
But Victor here. Victor really sparks my curiosity because his Twitter bio says he's done 5,789 responsible disclosures, or as they're calling them now coordinated vulnerability disclosures. And specifically, disclosure number 5,780 is a doozy. So crazy that it started an international investigation where Victor was the person of interest.
You've got to hear that story, but we're at a time. So this is where we'll pick up in the next episode. See you in two weeks.
A big thank you to Edwin, Matt, and Victor for sharing your adventures with us. You can find links to all these people in the show notes or at darknetdairies.com. I bring the show to you every two weeks. Do you like it and want to hear more episodes? A great way to show your support is to help fund the show through Patreon. As a thank you, when you become a member, you get access to an ad-free feed and bonus episodes. Visit patreon.com slash darknetdairies to donate. Thank you.
This show is made by me, the Pie Guy, Jack Recider. This episode was produced by the Cloud Watcher, Charles Bolty, editing out this episode by Thing 3, Damien. Original music and sound design by the Cyber Monster, Garrett Tiedemann, and our theme music is by the half-full Breakmaster Cylinder. And even though, if you put a million monkeys in front of a million keyboards, one will eventually write a Python program. This is Darknet Diaries.