How activist DeRay Mckesson’s Twitter account was hacked

Even though several huge data breaches have recently exposed hundreds of millions of social media login credentials online, users aren’t re-setting their passwords — which means you’ll probably continue to see celebrities’ social media accounts getting hijacked.
FullSizeRender (1)

Racial justice activist DeRay Mckesson became the most recent example of a high-profile account breach this morning, when his Twitter account suddenly began tweeting endorsements for Donald Trump. Mckesson’s loyal Twitter followers noticed that the endorsement and a follow-up tweet declaring, “I’m not actually black,” were out-of-character.

Mckesson said two of his email addresses were also breached.

After regaining control of his Twitter account, Mckesson explained that the hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.

“Verizon takes the security and privacy of our customers very seriously. We are aware of Mr. McKesson’s claims and Verizon security teams are investigating,” Verizon told TechCrunch.

Mckesson also clarified his stance on presumptive Republican nominee Donald Trump:

Passwords for tens of millions of Twitter accounts appeared online for sale this week, following the hacks of accounts belonging to Katy Perry, Ev Williams, Mark Zuckerberg, Drake and others. Although it’s possible that some of their passwords were included in the auctioned database, it’s more likely that their accounts were compromised because they reused passwords from other breached websites like LinkedIn, Myspace and Tumblr.

That was the case for Forbes journalist Matt Drange, who broke the story of Peter Thiel’s financial contribution to Hulk Hogan’s lawsuit against Gawker. On Thursday, Drange woke up to find his account had been taken over by a porn bot that was tweeting #hottie and #bigcocks instead of Thiel scoops.

Drange said he was alerted to the hack by text messages from friends. “Sure enough, it was just boobs and hashtags,” Drange told TechCrunch. Drange’s account was breached because he’d reused a password from a breached website — his Twitter credentials were not exposed in the recent data dump.

Unlike Mckesson, Drange didn’t have two-factor authentication set up for his account, mistakenly believing that it was set up when he provided his phone number upon registering his Twitter account. He said he’s since added that protection to his account.

Two-factor authentication works by sending a temporary pincode to a trusted device during login, so a user needs both his password and the pincode to access his account. Twitter and other social media platforms recommend two-factor as a way to keep your accounts from being breached, although the hack of Mckesson’s account proves the method isn’t foolproof.

Verizon is the parent company of AOL, which owns TechCrunch.