Nearly half of cabinet ministers aren't taking enough security precautions on Twitter and it's leaving them at risk of being hacked, a tech specialist has told BuzzFeed News.
Out of the 19 who use Twitter professionally, only 11 are using the option that requires a user to input the email address associated with the account in order to retrieve a lost password.
Because of the way Twitter works, it is possible to easily access a page showing the partially redacted email address linked to an account, by using the "forgotten password?" link on the website's homepage.
This can compromise the online security of the people using these accounts. Knowing which email a person uses for their Twitter account makes it far easier to target a hacking attack and be more credible in one's efforts to make them click a link that will compromise their security.
Mustafa Al-Bassam, who used to be part of hacking group Lulzsec and who now volunteers at Privacy International, said:
"If hackers can learn the email address that you use for Twitter, then it makes it easier to compromise your Twitter account, as they can try to compromise your email address or send your phishing emails, which gives them a much greater vector of attack, especially if it's also used across all your other websites."
The accounts without the extra tier of security include prime minister Theresa May, chancellor Philip Hammond, foreign secretary Boris Johnson, Brexit secretary David Davis, Commons leader David Lidington, Scotland secretary David Mundell, development secretary Priti Patel, and Pat McLoughlin, the transport secretary.
Last week a hacker who calls himself WauchulaGhost pointed out that several figures in the Trump administration, including the president, vice president, and first lady, had insecure Twitter accounts.
"All I have to do is guess the email, which I have been rather good at doing, then verify the email exists," WauchulaGhost told CNN last week.
"At that point take the email account, reset Twitter password, boom....I own the Pres. Not saying I'm going to..haha. But it's rather easy for some."
CNN reported that once one has an email address, tactics such as "apps that guess multiple passwords at once" or "using known information about a person to trick them into sharing their password" can be used to gain access to the email account.
The difficulty in accessing emails depends on the type of email address – in the case of cabinet ministers, some were official Conservative accounts and others were registered to parliament. It's not known how many of them have two-step verification enabled, which makes getting access harder.
Other senior politicians, including Labour leader Jeremy Corbyn and shadow chancellor John McDonnell, also have vulnerable Twitter accounts that are linked to Gmail accounts.
BuzzFeed News contacted the Cabinet Office about the potential security flaw, who said that as the accounts were personal, inquiries should be directed to Conservative campaign headquarters, which had not replied at the time of writing.
Marie Le Conte is a politics and media reporter for BuzzFeed News and is based in London.
Contact Marie Le Conte at firstname.lastname@example.org.
Got a confidential tip? Submit it here.