What startup CSOs can learn from three enterprise security experts

How do you keep your startup secure?

That’s the big question we explored at TC Sessions: Enterprise earlier this month. No matter the size, every startup is an enterprise. Every startup will grow in size as it builds out. But as a company expands, that rapid growth can lead to a distraction from the foundational principle of any modern company — keeping it secure.

Security isn’t just a buzzword. As some of the largest companies in Silicon Valley have shown, security can be difficult. From storing passwords in plaintext to data breaches galore, how can startups learn from some of the biggest security lapses in the tech industry’s history?

Our panel consisted of three of the brightest minds in enterprise security: Wendy Nather, head of advisory CISOs at Duo Security, is an enterprise security expert; Martin Casado, general partner at Andreessen Horowitz, is a security and enterprise startup investor; and Emily Heath, United’s chief information security officer, oversees the security operations of the largest U.S. airlines.

This is what advice they had.

Security from the very start

Shape Security hits $1B valuation with $51M Series F

Anti-fraud startup Shape Security has tipped over the $1 billion valuation mark following its latest Series F round of $51 million.

The Mountain View, Calif.-based company announced the fundraise Thursday, bringing the total amount of outside investment to $173 million since the company debuted in 2011.

C5 Capital led the round along with several other new and returning investors, including Kleiner Perkins, HPE Growth, and Norwest Ventures Partners.

Shape Security protects companies against automated and imitation attacks, which often employ bots to break into networks using stolen or reused credentials. Shape uses artificial intelligence to discern bots from ordinary users by comparing known information such as a user’s location, and collected data like mouse movements to shut down attempted automated logins in real-time.

The company said it now protects against two billion fraudulent logins daily.

C5 managing partner André Pienaar said he believes Shape will become the “definitive” anti-fraud platform for the world’s largest companies.

“While we while we expect a strong financial return, we also believe that we can bring Shape’s platform into many of the leading companies in Europe who look to us for strategic ideas that benefit the entire value-chain where B2C applications are used,” Pienaar told TechCrunch.

Shape’s chief executive Derek Smith said the $51 million injection will go towards the company’s international expansion and product development — particularly the capabilities of its AI system.

He added that Shape was preparing for an IPO.

Telegram fixes bug that failed to delete ‘unsent’ photos and videos

Mobile messaging app Telegram has fixed a bug allowing users to recover photos and videos ‘unsent’ by other people.

Telegram, which has more than 100 million users, has an ephemeral messaging feature that allows users to “unsend” sent messages from other people’s inboxes, such as when a message is sent by mistake.

But one security researcher Dhiraj Mishra, who found the privacy issue and shared his findings exclusively with TechCrunch, said although Telegram was removing the messages from a user’s device, any sent photos or video would still be stored on the user’s phone.

The researcher found other messaging apps, like WhatsApp, had the same ephemeral “unsend” feature but when tested deleted both message and content.

Mishra said the Android version of Telegram would permanently store photos and videos in the device’s internal storage.

“This works perfectly in groups as well,” he told TechCrunch. “If you have a Telegram group of 100,000 members and you send a media message by mistake and you delete it, it only gets deleted from the chat but will remain in media storage of all 100,000 members,” he said.

It’s not known if Telegram users have been affected by the privacy issue. But recently we reported several cases of visa holders who have been denied entry to the U.S. for content on their phones sent by other people.

After TechCrunch reached out, Telegram fixed the vulnerability. Mishra received €2,500 from the bug bounty for discovering and disclosing the vulnerability.

A spokesperson for Telegram confirmed the bug fix had rolled on September 5.

Monster.com says a third-party exposed user data, but didn’t tell anyone

An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online.

The server contained résumés and CVs for job applicants spanning between 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience.

Of the documents we reviewed, most users were located in the United States.

It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017. Other files found on the exposed server included immigration documentation for work, which Monster does not collect.

A company statement attributed to Monster’s chief privacy officer Michael Jones said the server was owned by an unnamed recruitment partner, with which it no longer works. When pressed, the company declined to name the recruitment partner.

“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,” the company said, adding the exposed server was secured shortly after it was reported in August.

Although the data is no longer accessible directly from the exposed web server, hundreds of résumés and other documents can be found in results cached by search engines.

But Monster did not warn users of the exposure, and only admitted user data was exposed after the security researcher alerted TechCrunch to the matter.

“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”

Under local data breach notification laws, companies are obliged to inform state attorneys general where large numbers of users in their states are affected. Although Monster is not duty bound to disclose the exposure to regulators, some companies proactively warn their users even when third-parties are involved.

It’s not uncommon for companies to warn their users of a third-party breach. Earlier this year after hackers siphoned off millions of credit cards from the American Medical Collection Agency, a third-party payments processor, its customers — LabCorp and Quest Diagnostics — admitted to the security lapse.

Monster said that because the exposure happened on a customer system, Monster is “not in a position” to identify or confirm affected users.

A huge database of Facebook users’ phone numbers found online

Hundreds of millions of phone numbers linked to Facebook accounts have been found online.

The exposed server contained over 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.

But because the server wasn’t protected with a password, anyone could find and access the database.

Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username.

But phone numbers have not been public in more than a year since Facebook restricted access to users’ phone numbers.

TechCrunch verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account.

Some of the records also had the user’s name, gender, and location by country.

fb 3 2

A redacted set of records from the U.K. database. The “44” indicates +44, the U.K.’s country code and the “7” indicates a cell phone number.

This is the latest security lapse involving Facebook data after a string of incidents since the Cambridge Analytica scandal, which saw more than 80 million profiles scraped to help identify swing voters in the 2016 U.S. presidential election.

Since then the company has seen several high-profile scraping incidents, including at Instagram, which recently admitted to having profile data scraped in bulk.

This latest incident exposed millions of users’ phone numbers just from their Facebook IDs, putting them at risk of spam calls and SIM-swapping attacks, which relies on tricking cell carriers into giving a person’s phone number to an attacker. With someone else’s phone number, an attacker can force-reset the password on any internet account associated with that number.

Sanyam Jain, a security researcher and member of the GDI Foundation, found the database and contacted TechCrunch after he was unable to find the owner. After a review of the data, neither could we. But after we contacted the web host, the database was pulled offline.

Jain said he found profiles with phone numbers associated with several celebrities.

Facebook spokesperson Jay Nancarrow said the data had been scraped before Facebook cut off access to user phone numbers.

“This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised.”

But questions remain as to exactly who scraped the data, when it was scraped from Facebook, and why.

Facebook has long restricted developers access to user phone numbers. The company also made it more difficult to search for friends’ phone numbers. But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new.

This latest data exposure is the most recent example of data stored online and publicly without a password. Although often tied to human error rather than a malicious breach, data exposures nevertheless represent an emerging security problem.

In recent months, financial giant First American left data exposed, as did MoviePass and the Senate Democrats.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Another US visa holder was denied entry over someone else’s messages

It has been one week since U.S. border officials denied entry to a 17-year-old Harvard freshman just days before classes were set to begin.

Ismail Ajjawi, a Palestinian student living in Lebanon, had his student visa canceled and was put on a flight home shortly after arriving at Boston Logan International Airport. Customs & Border Protection officers searched his phone and decided he was ineligible for entry because of his friends’ social media posts. Ajjawi told the officers he “should not be held responsible” for others’ posts, but it was not enough for him to clear the border.

The news prompted outcry and fury. But TechCrunch has learned it was not an isolated case.

Since our story broke, we came across another case of a U.S. visa holder who was denied entry to the country on grounds that he was sent a graphic WhatsApp message. Dakhil — whose name we have changed to protect his identity — was detained for hours, but subsequently had his visa canceled. He was sent back to Pakistan and banned from entering the U.S. for five years.

Since 2015, the number of device searches has increased four-fold to over 30,200 each year. Lawmakers have accused the CBP of conducting itself unlawfully by searching devices without a warrant, but CBP says it does not need to obtain a warrant for device searches at the border. Several courts have tried to tackle the question of whether or not device searches are constitutional.

Abed Ayoub, legal and policy director at the American-Arab Anti-Discrimination Committee, told TechCrunch that device searches and subsequent denials of entry had become the “new normal.”

This is Dakhil’s story.

* * *

As a a Pakistani national, Dakhil needed a visa to enter the U.S. He obtained a B1/B2 visa, which allowed him to temporarily enter the U.S. for work and to visit family. Months later, he arrived at George Bush Intercontinental Airport in Houston, Texas, tired but excited to see his cousin for the first time in years.

It didn’t take long before Dakhil realized something wasn’t right.

Dakhil, who had never traveled to the U.S. before, was waiting in the immigration line at the border when a CBP officer approached him to ask why he had traveled to the U.S. He said it was for a vacation to visit his family. The officer took his passport and, after a brief examination of its stamps, asked why Dakhil had visited Saudi Arabia. It was for Hajj and Umrah, he said. As a Muslim, he is obliged to make the pilgrimages to Mecca at least once in his lifetime. The officer handed back his passport and Dakhil continued to wait in line.

At his turn, Dakhil approached the CBP officer in his booth, who repeated much of the same questions. But, unsatisfied with his responses, the officer took Dakhil to a small room close but separate from the main immigration hall.

“He asked me everything,” Dakhil told TechCrunch. The officer asked about his work, his travel history and how long he planned to stay in the U.S. He told the officer he planned to stay for three months with a plan to travel to Disney World in Florida and later New York City with his wife and newborn daughter, who were still waiting for visas.

The officer then rummaged through Dakhil’s carry-on luggage, pulling out his computer and other items. Then the officer took Dakhil’s phone, which he was told to unlock, and took it to another room.

For more than six hours, Dakhil was forced to sit in a bright, cold and windowless airport waiting room. There was nowhere to lie down. Others had pushed chairs together to try to sleep.

dhakil i213 front

A U.S. immigration form detailing Dakhil deportation.

Dakhil said when the officer returned, the questioning continued. The officer demanded to know more about what he was planning to do in the U.S. One line of questioning focused on an officer’s accusation that Dakhil was planning to work at a gas station owned by his cousin — which Dakhil denied.

“I told him I had no intention to work,” he told TechCrunch. The officer continued with his line of questioning, he said, but he continued to deny that he wanted to stay or work in the U.S. “I’m quite happy back in Karachi and doing good financially,” he said.

Two more officers had entered the room and began to interrogate him as the first officer continued to search bags. At one point he pulled out a gift for his cousin — a painting with Arabic inscriptions.

But Dakhil was convinced he would be allowed entry — the officers had found nothing derogatory, he said.

“Then the officer who took my phone showed me an image,” he told TechCrunch. It was an image from 2009 of a child, who had been murdered and mutilated. Despite the graphic nature of the image, TechCrunch confirmed the photo was widely distributed on the internet and easily searchable using the name of the child’s murderer.

“I was shocked. What should I say?” he told TechCrunch, describing the panic he felt. “This image is disturbing, but you can’t control the forwarded messages,” he explained.

Dakhil told the officer that the image was sent to him in a WhatsApp group. It’s difficult to distinguish where a saved image came from on WhatsApp, because it automatically downloads received images and videos to a user’s phone. Questionable content — even from unsolicited messages — found during a border search could be enough to deny the traveler entry.

The image was used to warn parents about kidnappings and abductions of children in his native Karachi. He described it as one of those viral messages that you forward to your friends and family to warn parents about the dangers to their children. The officer pressed for details about who sent the message. Dakhil told the officer that the sender was someone he met on his Hajj pilgrimage in 2011.

“We hardly knew each other,” he said, saying they stayed in touch through WhatsApp but barely spoke.

Dakhil told the officer that the image could be easily found on the internet, but the officer was more interested in the names of the WhatsApp group members.

“You can search the image over the internet,” Dakhil told the officer. But the officer declined and said the images were his responsibility. “We found this on your cellphone,” the officer said. At one point the officer demanded to know if Dakhil was organ smuggling.

After 15 hours answering questions and waiting, the officers decided that Dakhil would be denied entry and would have his five-year visa cancelled. He was also told his family would also have their visas cancelled. The officers asked Dakhil if he wanted to claim for asylum, which he declined.

“I was treated like a criminal,” Dakhil said. “They made my life miserable.”

* * *

It’s been almost nine months since Dakhil was turned away at the U.S. border.

He went back to the U.S. Embassy in Karachi twice to try to seek answers, but embassy officials said they could not reverse a CBP decision to deny a traveler entry to the United States. Frustrated but determined to know more, Dakhil asked for his records through a Freedom of Information Act (FOIA) request — which anyone can do — but had to pay hundreds of dollars for its processing.

He provided TechCrunch with the documents he obtained. One record said that Dakhil was singled out because his name matched a “rule hit,” such as a name on a watchlist or a visit to a country under sanctions or embargoes, which typically requires additional vetting before the traveler can be allowed into the U.S.

The record did not say what flagged Dakhil for additional screening, and his travel history did not include an embargoed country.

Screen Shot 2019 08 30 at 3.30.00 PM 2

CBP’s reason for denying entry to Dakhil obtained through a FOIA request.

One document said CBP denied Dakhil entry to the U.S. “due to the derogatory images found on his cellphone,” and his alleged “intent to engage in unauthorized employment during his entry.” But Dakhil told TechCrunch that he vehemently denies the CBP’s allegations that he was traveling to the U.S. to work.

He said the document portrays a different version of events than what he experienced.

“They totally changed this scenario,” he said, rebutting several remarks and descriptions reported by the officers. “They only disclosed what they wanted to disclose,” he said. “They want to justify their decision, so they mentioned working in a gas station by themselves,” he claimed.

The document also said Dakhil “was permitted to view the WhatsApp group message thread on his phone and he stated that it was sent to him in September 2018,” but this was not enough to satisfy the CBP officers who ruled he should be denied entry. The document said Dakhil stated that he “never took this photo and doesn’t believe [the sender is] involved either,” but he was “advised that he was responsible for all the contents on his phone to include all media and he stated that he understood.”

The same document confirmed the contents of his phone was uploaded to the CBP’s central database and provided to the FBI’s Joint Terrorism Task Force.

Dakhil was “found inadmissible” and was put on the next flight back to Karachi, more than a day after he was first approached by the CBP officer in the immigration line.

A spokesperson for Customs & Border Protection declined to comment on individual cases, but provided a boilerplate statement.

“CBP is responsible for ensuring the safety and admissibility of the goods and people entering the United States. Applicants must demonstrate they are admissible into the U.S. by overcoming all grounds of inadmissibility including health-related grounds, criminality, security reasons, public charge, labor certification, illegal entrants and immigration violations, documentation requirements, and miscellaneous grounds,” the spokesperson said. “This individual was deemed inadmissible to the United States based on information discovered during the CBP inspection.”

CBP said it also has the right to cancel visas if a traveler is deemed inadmissible to the United States.

It’s unlikely Dakhil will return to the U.S., but he said he had hope for the Harvard student who suffered a similar fate.

“Let’s hope he can fight and make it,” he said.

What you missed in cybersecurity this week

There’s not a week that goes by where cybersecurity doesn’t dominates the headlines. This week was no different. Struggling to keep up? We’ve collected some of the biggest cybersecurity stories from the week to keep you in the know and up to speed.

Malicious websites were used to secretly hack into iPhones for years, says Google

TechCrunch: This was the biggest iPhone security story of the year. Google researchers found a number of websites that were stealthily hacking into thousands of iPhones every week. The operation was carried out by China to target Uyghur Muslims, according to sources, and also targeted Android and Windows users. Google said it was an “indiscriminate” attack through the use of previously undisclosed so-called “zero-day” vulnerabilities.

Hackers could steal a Tesla Model S by cloning its key fob — again

Wired: For the second time in two years, researchers found a serious flaw in the key fobs used to unlock Tesla’s Model S cars. It’s the second time in two years that hackers have successfully cracked the fob’s encryption. Turns out the encryption key was doubled in size from the first time it was cracked. Using twice the resources, the researchers cracked the key again. The good news is that a software update can fix the issue.

Microsoft’s lead EU data watchdog is looking into fresh Windows 10 privacy concerns

TechCrunch: Microsoft could be back in hot water with the Europeans after the Dutch data protection authority asked its Irish counterpart, which oversees the software giant, to investigate Windows 10 for allegedly breaking EU data protection rules. A chief complaint is that Windows 10 collects too much telemetry from its users. Microsoft made some changes after the issue was brought up for the first time in 2017, but the Irish regulator is looking at if these changes go far enough — and if users are adequately informed. Microsoft could be fined up to 4% of its global annual revenue if found to have flouted the law. Based off 2018’s figures, Microsoft could see fines as high as $4.4 billion.

U.S. cyberattack hurt Iran’s ability to target oil tankers, officials say

The New York Times: A secret cyberattack against Iran in June but only reported this week significantly degraded Tehran’s ability to track and target oil tankers in the region. It’s one of several recent offensive operations against a foreign target by the U.S. government in recent moths. Iran’s military seized a British tanker in July in retaliation over a U.S. operation that downed an Iranian drone. According to a senior official, the strike “diminished Iran’s ability to conduct covert attacks” against tankers, but sparked concern that Iran may be able to quickly get back on its feet by fixing the vulnerability used by the Americans to shut down Iran’s operation in the first place.

Apple is turning Siri audio clip review off by default and bringing it in house

TechCrunch: After Apple was caught paying contractors to review Siri queries without user permission, the technology giant said this week it will turn off human review of Siri audio by default and bringing any opt-in review in-house. That means users actively have to allow Apple staff to “grade” audio snippets made through Siri. Apple began audio grading to improve the Siri voice assistant. Amazon, Facebook, Google, and Microsoft have all been caught out using contractors to review user-generated audio.

Hackers are actively trying to steal passwords from two widely used VPNs

Ars Technica: Hackers are targeting and exploiting vulnerabilities in two popular corporate virtual private network (VPN) services. Fortigate and Pulse Secure let remote employees tunnel into their corporate networks from outside the firewall. But these VPN services contain flaws which, if exploited, could let a skilled attacker tunnel into a corporate network without needing an employee’s username or password. That means they can get access to all of the internal resources on that network — potentially leading to a major data breach. News of the attacks came a month after the vulnerabilities in widely used corporate VPNs were first revealed. Thousands of vulnerable endpoints exist — months after the bugs were fixed.

Grand jury indicts alleged Capital One hacker over cryptojacking claims

TechCrunch: And finally, just when you thought the Capital One breach couldn’t get any worse, it does. A federal grand jury said the accused hacker, Paige Thompson, should be indicted on new charges. The alleged hacker is said to have created a tool to detect cloud instances hosted by Amazon Web Services with misconfigured web firewalls. Using that tool, she is accused of breaking into those cloud instances and installing cryptocurrency mining software. This is known as “cryptojacking,” and relies on using computer resources to mine cryptocurrency.

Police hijack a botnet and remotely kill 850,000 malware infections

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer.

Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America.

According to a blog post announcing the bust, security firm Avast confirmed the operation was successful.

The security firm got involved after it discovered a design flaw in the malware’s command and control server. That flaw, if properly exploited, would have “allowed us to remove the malware from its victims’ computers” without pushing any code to victims’ computers, the researchers said.

The exploit would have dismantled the operation, but the researchers lacked the legal authority to push ahead. Because most of the malware’s infrastructure was located in France, Avast contacted French police. After receiving the go-ahead from prosecutors in July, the police went ahead with the operation to take control of the server and disinfect affected computers.

The French police called the botnet “one of the largest networks” of hijacked computers in the world.

The operation worked by secretly obtaining a snapshot of the malware’s command and control server with cooperation from its web host. The researchers said they had to work carefully as to not be noticed by the malware operators, fearing the malware operators could retaliate.

“The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income,” the security company said. “But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”

With a copy of the malicious command and control server in hand, the researchers built their own replica, which disinfected victim computers instead of causing infections.

“[The police] replaced the malicious [command and control] server with a prepared disinfection server that made connected instances of Retadup self-destruct,” said Avast in a blog post. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.”

In doing so, the company was able to stop the malware from operating and remove the malicious code to over 850,000 infected computers.

Jean-Dominique Nollet, head of the French police’s cyber unit, said the malware operators generated several million euros worth of cryptocurrency.

Remotely shutting down a malware botnet is a rare achievement — but difficult to carry out.

Several years ago the U.S. government revoked Rule 41, which now allows judges to issue search and seizure warrants outside of their jurisdiction. Many saw the move as an effort by the FBI to conduct remote hacking operations without being hindered by the locality of a judge’s jurisdiction. Critics argued it would set a dangerous precedent to hack into countless number of computers on a single warrant from a friendly judge.

Since then the amended rule has been used to dismantle at least one major malware operation, the so-called Joanap botnet, linked to hackers working for the North Korean regime.

Sources say China used iPhone hacks to target Uyghur Muslims

A number of malicious websites used to hack into iPhones over a two-year period were targeting Uyghur Muslims, TechCrunch has learned.

Sources familiar with the matter said the websites were part of a state-backed attack — likely China — designed to target the Uyghur community in the country’s Xinjiang state.

It’s part of the latest effort by the Chinese government to crack down on the minority Muslim community in recent history. In the past year, Beijing has detained more than a million Uyghurs in internment camps, according to a United Nations human rights committee.

Google security researchers found and recently disclosed the malicious websites this week, but until now it wasn’t known who they were targeting.

The websites were part of a campaign to target the religious group by infecting an iPhone with malicious code simply by visiting a booby-trapped web page. In gaining unfettered access to the iPhone’s software, an attacker could read a victim’s messages, passwords, and track their location in near-real time.

Apple fixed the vulnerabilities in February in iOS 12.1.4, days after Google privately disclosed the flaws. News of the hacking campaign was first disclosed by this week.

These websites had “thousands of visitors” per week for at least two years, Google said.

Victims were tricked into opening a link, which when opened would load one of the malicious websites used to infect the victim. It’s a common tactic to target phone owners with spyware.

One of the sources told TechCrunch the websites used to infect iPhones had been inadvertently indexed by Google’s search engine, prompting the FBI to alert Google to ask for the site to be removed from its index to prevent infections, they added.

A Google spokesperson would not comment beyond the published research. A FBI spokesperson said they could neither confirm nor deny any investigation, and did not comment further.

Google faced some criticism following its bombshell report for not releasing the websites used in the attacks. The researchers said the attacks were “indiscriminate watering hole attacks” with “no target discrimination,” noting that anyone visiting the site would have their iPhone hacked.

But the company would not say who was behind the attacks.

Apple did not comment. An email requesting comment to the Chinese consulate in New York was unreturned.

Someone hacked Jack Dorsey’s own Twitter account

A hacker has broken into Jack Dorsey’s own Twitter account.

It’s not clear how it happened, but the hacker posted over a dozen tweets in quick succession, including racial epithets. Not only that, it means the unnamed hacker also has access to the Twitter chief executive’s private direct messages.

Dorsey has over 4.21 million followers.

Twitter allows users to secure their accounts with two-factor authentication. Facebook boss Mark Zuckerberg once had his Twitter account hacked because his account didn’t use the secondary security feature. He also had a ridiculously easy-to-guess password.

We’ve reached out to Twitter for more but did not immediately hear back.