The Washington PostDemocracy Dies in Darkness

A short investigation into the mysterious tweets from press secretary Sean Spicer

In 2017, being press secretary for the White House means that you (or someone working for you) control the verified @PressSec account on Twitter. Most of the tweets from the account so far have been pretty run-of-the-mill: tweeting about President Trump’s schedule, accepting an apology from a reporter for a corrected mistake, and releasing pictures of the president at work.

But a couple of his tweets have been a bit more mysterious:

What are the tweets? Each are eight characters that make no obvious sense, tweeted two mornings in a row.

One possibility is that they are passwords, tweeted out as whoever is behind the account gets used to the new security procedures governing it. There are a lot of theories out there on how it might have happened. By far the most likely is that of the Guardian’s Alex Hern, who identified one possible way that could happen, if the @PressSec account has two-factor authentication activated.

Two-factor authentication provides an extra layer of security for password-protected accounts, and it would be good for the official account of the press secretary for the White House to have it. In fact, it would be good for anyone with a Twitter account to have it. According to a brand-new Pew report on cybersecurity, about 52 percent of Americans have used two-factor at some point to manage an account.

In case you are one of the 48 percent of Americans who haven’t used it, here’s how it works: In addition to entering in a password, two-factor requires users to enter in a randomly generated code that changes with each login, usually sent to your phone through either an app or a text message. For Twitter, those codes are sent via text by default, from a number that should look familiar to any longtime Twitter users: 40404.

40404 also happens to be the number you use to post a tweet via SMS, assuming you’ve linked Twitter to your phone and given the platform permission to post tweets in this way. The “Cloudhopper” in Hern’s screencap of the Spicer tweet indicates that the tweet was, in fact, posted by SMS.  And it actually works: I was able to post a Tweet this morning by replying to my latest two-factor code with a text:

Like Spicer’s tweet, mine indicates that it was sent from “Cloudhopper” too, sent via text.

But not everyone on Twitter would be able to accidentally tweet by sending a text to 40404. Twitter’s website discusses an SMS PIN setting that requires users to place a PIN at the beginning of each SMS tweet, designed to stop people from spoofing your account, and that would also (presumably) prevent someone from tweeting something accidentally. Except that feature is currently only supported for non-U.S. users.

But that’s just a theory. So we asked the White House for some guidance on why Spicer’s account had tweeted and deleted these two things at the beginning of two work days in a row, whether those tweets were of passwords or authentication codes, and what security settings were currently in place on the White House’s Twitter accounts to prevent unauthorized people from accessing them. The reply from White House spokesman Michael Short was “Ever heard of a pocket tweet?” We also emailed Spicer this afternoon, but he was not immediately available for comment.

Anyway, this concludes our important investigation into two weird tweets.

More reading: