Twitter is investigating the flurry of offensive messages including racial slurs, which were posted on Dorsey’s Twitter page, which has 4.2 million followers, on Friday evening.
The offensive tweets – which included false reports of a bomb threat at Twitter HQ and messages defending Adolf Hitler – were deleted from the social media platform after about 30 minutes.
“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter said in a comment posted by spokesman Brandon Borrman late Friday.
Borrman clarified Saturday that the company isn’t identifying the carrier, and so far none of the four major U.S. mobile providers has admitted responsibility.
The security incident “allowed an unauthorised person to compose and send tweets via text message from the phone number. That issue is now resolved,” according to the Friday statement.
The clarification appears to support speculation that Dorsey was the victim of SIM swapping. That’s when someone convinces a mobile carrier to switch an existing number to a new SIM card they control. In this case, it may have required the hackers to have personal details that would allow them to convincingly impersonate one of Silicon Valley’s best-known figures.
More than 15 tweets, many containing obscenities and racist comments, were posted on Dorsey’s account, @jack, shortly before 4 p.m. New York time on Friday. The company started deleting the tweets from Dorsey’s verified Twitter account, which has more than 4 million followers, about 20 minutes after the messages went viral.
A person familiar with Sprint’s operations said the company checked late Friday and there was no record of an account associated with Dorsey. A spokeswoman for T-Mobile, Tara Darrow, said that “for privacy and security reasons, we would never discuss an individual’s circumstances or if they are a customer.” Verizon Communications Inc. and AT&T Inc. didn’t respond to queries from Bloomberg News on Saturday asking if they were Dorsey’s provider.
The attack may not have required any in-person communication on the part of the fraudster. A group calling itself the Chuckling Squad claimed credit for the hack.