It appears that hip hop sensation Jason Derulo's Twitter account has been hacked. Around 2:30 p.m. ET on Tuesday, his account began excessively tweeting some questionable content. The posts include repeated shoutouts to some person named Ray, and others laced with racial slurs and profanities, like one that reads, "we hacked that w***e @theestallion t***y fucker." Another links to a Discord channel. The account remained under hackers' control for over an hour before reverting to normal.
The teens strike again — One tweet in particular seems to take credit for the breach. "All celebs that were hacked were chuckling squad, labelled or not it was us no1 else can do it just how we smoked addison rae dixie anyone u can think off our victims #chuckling."
Presumably referring to the Chuckling Squad, the group is a hacker collective previously linked to attacks on other celebrities including Mariah Carey and Twitter's own CEO Jack Dorsey. The group is likely to be loosely coordinated.
Based on the contents of the tweets, it's not hard to surmise that the hackers are in their youth. More recently when Twitter was struck by a site-wide attack, federal investigators triangulated the hack to a 21-year old based in England who tricked employees into handing over their administrative credentials. In the end, it seemed like the intent was to tweet out Bitcoin scams and make a quick buck rather than conduct any type of espionage or blackmail operations. The whole fiasco proved a major security lapse for Twitter.
Chuckling Squad is known to use SMS exploits to breach accounts, though other hacks of prominent Twitter accounts in the past have taken advantage of third-party services that users have granted permission to create posts.
Ditch the SMS — The hack on Dorsey's account occurred in 2019 after someone called his cellular provider and, using some social engineering, convinced a customer service rep to transfer his number to a new SIM card. With that, hackers were able to receive the two-factor authentication code needed to enter his account. Such a maneuver has become so common that it's been dubbed "SIM swapping." It's likely that Derulo was targeted in a similar fashion, though that's unclear.
Security experts recommend the best way to protect an online account from breaches is to use a two-factor authentication tool that's not linked to a phone number. Apps like Google Authenticator or a physical security key are more secure than SMS as users need a physical device in their possession in order to authenticate into their account.