On October 27, 2016 – after hacker conference BruCON – 3 Dutch hackers, members of the Guild Of The Grumpy Old Hackers, gained access to Donald Trump’s Twitter account.

Two weeks prior to the US elections, the hackers got access to a LinkedIn-database containing 117 million usernames and passwords. The database had been circulating in criminal networks since 2012 and was only put up for sale in the dark markets in 2016. After this, the file also started circulating within the information security community. This is how and when the grumpy old hackers also gained access.

As it turns out, this database also contained Donald Trump’s information.

[email protected]:07b8938319c267dcdb501665220204bbde87bf1d
From which the hackers distilled the following password: yourefired.
This can be easily verified with applications such as https://passwordsgenerator.net/sha1-hash-generator/.

To their great surprise Twitter accepted the password, however asked for an email address for verification purposes. [email protected] didn’t work, but after a few wild guesses from the hackers the correct Twitter email address for Trump surfaced: [email protected].

With this email address they were able to log into Trump’s Twitter account. Since the contents of the piece, as well as the timing of publication have raised questions about authenticity, please find here below the timeline the grumpy hackers made, as well as additional screenshots from their own presentation, which they have been sharing in security intel circles.

The grumpy hackers addressed the above email to Trump and to US CERT (United States Computer Emergency Readiness Team). When no response came, they tried to get in touch via alternative routes. They sent a similar message to the Dutch CERT, NCSC-NL (Nationaal Cyber Security Centrum), who forwarded on the message to USCERT for a second time.

Below one of the emails from the NCSC-NL.

Finally, on November 2nd, there was a response.

Something changed at the White House, this much became clear after publication of this New York Times story:

Trump’s name not only surfaced in the LinkedIn database, but also in leaked databases of some computer games and dating site Ashley Madison.

These can of course be fake accounts. But the leaked Ashly Madison database didn’t contain readable passwords, only coded ones (bcrypt), which are difficult to crack with existing techniques. However – by running the password ‘yourefired’ through the bcrypt process, the grumpy hackers found there was a Trump-account at Ashley Madison with the same password: ‘yourefired’.

While the Grumpy Hackers never informed the media, their story was known in close-knit hacker circles.

This is how I traced the story, at the Chaos Computer Conference in Leipzig, in December 2019.