Twitter disables tweeting via SMS (temporarily at least), in wake of Jack Dorsey account hijack

Graham Cluley
Graham Cluley
@[email protected]

Twitter disables tweeting via SMS (temporarily at least), in wake of Jack Dorsey account hijack

You can no longer post a message on Twitter just by sending an SMS… although the feature might come back at a later date.

Twitter’s official support account announced that the feature was being disabled on Wednesday evening, just days after Twitter’s own CEO, Jack Dorsey, had his account hijacked.

Whoever was responsible for spewing out a series of unsavoury tweets from the @jack account to millions of followers succeeded because they successfully tricked Dorsey’s mobile phone operator into giving them control of his phone number.

Sign up to our free newsletter.
Security news, advice, and tips.

The technique, which uses social engineering to convince mobile phone operators into thinking you’re really the person whose number you’re trying to steal, is known as a SIM swap attack (also sometimes called a Port Out scam).

Twitter’s CEO isn’t the only person to fall victim to the scam in recent days. Other victims have included actress Chloë Grace Moretz, and a variety of YouTubers with large followings.

Chloe hacked tweet

As I wrote earlier this week:

“if Twitter is going to accept SMS messages from your mobile phone number and automatically broadcast them to the world, you had better be feeling darn confident that no-one else is going to gain access to your phone – or seize control of your mobile number.”

With mobile phone operators too often being duped into letting fraudsters hijack mobile phone numbers through SIM swap fraud, and even Twitter’s own boss falling victim, the site couldn’t really allow the madness to continue for much longer.

Hence tonight’s announcement:

Sms tweets

We’re temporarily turning off the ability to Tweet via SMS, or text message, to protect people’s accounts.

We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication (we’re working on improving this).

We’ll reactivate this in markets that depend on SMS for reliable communication soon while we work on our longer-term strategy for this feature.

My guess is that Twitter will bring back tweeting via SMS text message at some point. It is, after all, attractive in parts of the world where there has been a lower adoption of smartphones.

But I really do hope the site has finally got to grips with the security around the feature, taking better steps to authenticate users than just looking at the mobile phone number they are tweeting from, and perhaps even disabling the feature for the majority of us who have no use for it.

You can listen to more about the hack of Jack Dorsey’s Twitter account, and SIM swap fraud, in this episode of the “Smashing Security” podcast (recorded before Twitter disabled the tweet via SMS functionality):

Smashing Security #144: 'Google helps the FBI, Twitter Jack’s hijack, and car data woes'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.