The most powerful Twitter account in the world was apparently linked to a private Gmail account that may or may not be protected with two-step authentication.
A hacker known on Twitter as @WauchulaGhost told CNN that the president’s account was linked to a personal email account — most likely one belonging to Dan Scavino, his social media chief.
— WauchulaGhost (@WauchulaGhost) January 21, 2017
That means a hacker could potentially gain access to that Gmail account, which may have only a single layer of password protection, to ask Twitter to reset Trump’s password and then begin posting messages that could potentially move stock markets or start a nuclear war.
Twitter allows users — or hackers — to reset their password code through a hyperlink sent to the email account associated with the social media account.
That’s helpful when the account’s rightful owner forgets his or her password, but problematic when a hacker breaks in and locks out the legitimate user.
If two-step authentication is enabled, and there’s no indication that Trump uses that process to protect his account, a motivated or sophisticated hacker could still break in.
To make matters worse, Trump apparently sends his own tweets from an unsecured Android phone, according to the New York Times.
The consequences could be devastating if a hacker gained access to Trump’s account — which has 22.2 million followers and now the power and authority of the White House.
The possibility is also deeply ironic, considering Trump and his supporters frequently attacked his election rival, Hillary Clinton, over concerns about the security of her own online communications.
WauchulaGhost claims Trump and his wife, Melania, along with Vice President Mike Pence, are especially vulnerable to hackers because they’re not using two-step authentication on their official Twitter accounts — @POTUS, @FLOTUS and @VP.
That would require anyone who wanted to reset the password to wait until a private code was texted to the user’s phone.
Their current security setting, and possibly the president’s frequently used personal account, allows any one to request a new password and then be shown a partially redacted email address to which Twitter will send a password recovery link.
“It’s not hard for us to go figure out that email,” the hacker said. “I’ve taken over 500 Islamic State accounts.”
He publicly tweeted the partial emails associated with those accounts Monday, urging the Trumps and Pence to “change your emails & fix your settings.”
Several top Trump administration officials — Kellyanne Conway, Jared Kushner, Sean Spicer and Steve Bannon — are reportedly using email accounts linked to the RNC server hacked during the presidential campaign.
Spicer, the White House press secretary, has his own issues with Twitter security.
Spicer apparently tweeted out a password to some type of account — it’s not clear exactly what — twice in three days this week.
— JΞSTΞR ✪ ΔCTUAL³³º¹ (@th3j35t3r) January 26, 2017
A second email account, apparently from a WhiteHouse.gov domain, was later linked to Trump’s Twitter account, according to an Elite Daily reporter.
The Gmail account was then removed, and a second account — also from an apparent WhiteHouse.gov domain, was added.
Updated to show that additional accounts were added to Trump’s social media account.