How DeRay McKesson’s Phone, Twitter, and Email All Got Hacked in a Single Move

By
Photo: Kimberly White/Getty Images

It’s been a bang-up couple of months for hackers. Tumblr, MySpace, Twitter, Linkedin, Katy Perry, Mark Zuckerberg, the NFL, and North Korea’s Facebook clone are just a few of the victims who have been digitally compromised of late. And now, you can add activist and politician DeRay McKesson to the ever-growing list. McKesson’s phone, Twitter, and email were breached on Friday, McKesson explained on Twitter after regaining access to his account.

To impersonate McKesson, the hacker, who made themself known on Twitter with several pro-Trump tweets from McKesson’s account, needed only the last four digits of his Social Security number. With that information (which, granted, would could be tricky to find, but not that tricky for someone hell-bent on hacking), the hacker was able to convince Verizon to switch the SIM (a smart card inside your phone that stores your data and essentially makes your phone your phone) connected to the account from the one in McKesson’s phone to one in their own. From there, all notifications and texts from Verizon went to the hacker’s phone, instead of McKesson, because his account had effectively been removed from his physical device. This style of hacking is a practice known as “social engineering,” where a person manipulates someone else into giving them access by a series of nuanced steps. (In this case, the hacker posing as McKesson got Verizon to change the SIM, and then used that switch to change McKesson’s passwords, and then used those passwords to hack his email accounts and Twitter. You get the idea.)

There are several of ways to protect yourself from getting hacked (not using the same passwords across multiple platforms is a good way to start, cough cough, Mark Zuckerberg). Another is turning on two-step verification for accounts, which requires you to log in via password, and then sends a one-time-use code to your cell phone you have to input to complete the process. In theory, only you would have both the password and the phone with the code, making it much more difficult for someone else to access your account or device. What is most alarming about McKesson’s hack is that he was using two-factor verification, but the hacker’s phone-call workaround rendered it useless.

Since then, McKesson says that Twitter has helped him get his account access back and deleted tweets from the hacker. Verizon, which has a recording of the phone call with the hacker (“this call may be recorded for quality assurance”) is looking into the situation. Select All reached out to the company for more information on the situation and to see if Verizon had recommendations for customers looking to avoid a similar ordeal.Verizon takes the security and privacy of our customers very seriously. We are aware of Mr. McKesson’s claims and Verizon security teams are investigating,” a representative said.

For now, remember to keep your passwords private and complex. Keep a tight leash on your Social Security number and a close watch on your personal accounts. And please, please, for the love of Steve Jobs stop using “password” as a password. Yes, I’m looking at you.