The account @realDonaldTrump, which has 87.3 million followers, was only protected by a password at the time, not by Two-Factor-Authentication. It only took Dutch ethical hacker Victor Gevers seven tries to guess the password ‘maga2020!’.

Vrij Nederland has seen screenshots of Gevers’ access to the US president’s account. The files contain sensitive information and cannot be fully disclosed.

Screenshot of Victor Gevers’ computer, made on 16 oktober, 2020 while accessing Donald Trump’s Twitter account.

This is not the first time Gevers has accessed Trump’s Twitter account. Together with friends, he managed to gain access in October 2016, while at an information security conference in Gent, Belgium. They found Trump’s password in a leaked database (‘yourefired’). Vrij Nederland published an article narrating this story last month.

Whomever has access to a Twitter account, can send tweets in its name, change the password and the profile picture, and – if one would want to – download a datafile containing all of the account’s direct messages (DMs). Ethical hackers like Gevers will never do this – as a principle. They will alert a poorly secured user or company through a Responsible Disclosure procedure and report. Previous attempts to warn the US President via such a procedure failed.

One of Victor Gevers’ attempts to reach Donald Trump via ‘responsible disclosure’ report.

It is unclear why the US President’s account Two-Factor Authentication was disabled at the time. The breach shows that even the information security of one of the most powerful individuals on the planet is flawed. It is still possible – to this day – to access an account that has so many followers without Two-Factor-Authentication. Twitter has not responded to Gevers’ and Vrij Nederland’s repeated inquiries as to how it is possible that the account of the President of the United States of America did not have the extra security at that time.

Correction: an earlier version of this story stated that the hackers ‘guessed’ Trumps password. This phrasing is incorrect, and was therefore changed to ’they found Trump’s password in a leaked database’.