Twitter said on Friday the account of chief executive Jack Dorsey had been “compromised” after a series of erratic and offensive messages were posted.
The tweets containing racial slurs and suggestions about a bomb showed up around 2000 GMT on the @jack account of the founder of the short messaging service before being deleted.
Some of the tweets contained the hashtag #ChucklingSquad, which was believed to indicate the identity of the hacker group. The same calling card was left behind during recent hacks of other high-profile social media personalities.
The messages contained racial epithets, and included a retweet of a message supporting Nazi Germany.
Twitter said that the phone number associated with Dorsey's account was “compromised due to a security oversight by the mobile provider”, allowing a hacker to posts tweets to @jack by sending text messages.
Dorsey's account has been secured and there was “no indication that Twitter's systems have been compromised”, according to the San Francisco-based internet firm.
It appeared that tweets posted on Dorsey's account by the hacker were up for about a half-hour before they were removed.
Pinned atop Dorsey's account was a tweet from early last year saying: “We're committing Twitter to help increase the collective health, openness, and civility of public conversation, and to hold ourselves publicly accountable towards progress.”
A barrage of comments fired off on the platform questioned why the Twitter co-founder didn't secure his account better, and how disturbing a sign it was that the service couldn't keep its own chief safe on the platform.
“If you can't protect Jack, you can't protect ... jack,” one Twitter user quipped.
The news comes with Dorsey and Twitter moving aggressively to clean up offensive and inappropriate content as part of a focus on “safety”.
“This might be the only way to get rid of racist tweets on this platform,” a Twitter user commented.
Britain-based security consultant Graham Cluley said the incident highlighted the importance of two-factor authentication, where a user must confirm the account via an external service.
Cluley advised people to make sure they use two-factor authentication and check which applications are linked to their accounts.
“While it looks bad, it's important to remember this is not some state-grade hack,” said R. David Edelman, director of technology, economy, and national security project at Massachusetts Institute of Technology.
“It's fundamentally an act of petty vandalism; the equivalent of spray painting a billboard above Twitter HQ.”
Cybersecurity researcher Kevin Beaumont said the account appeared to have been hijacked “via a third party called Cloudhopper, which Twitter acquired about 10 years ago and had access to his account”.
Cloudhopper enables users to send tweets on their phones via SMS.
“While it's tempting to laugh at the irony of it, the real-world consequences don't make it funny,” University of Hartford communications professor Adam Chiara said of Dorsey's account being hacked.
“Twitter can tell us that they are becoming more diligent with our privacy and security, but actions speak louder than words.”
The incident raised fresh concerns about how social media users — even prominent ones — can have their accounts compromised and used for misinformation, a point highlighted by Canadian member of parliament Michelle Rempel Garner.
“Between bots, trolls and abuse, I've been skeptical about @Twitter as a viable platform for some time now,” Rempel Garner wrote.
“But the fact it took the platform's owner (@jack) about 30 min to get his hacked account under control is deeply problematic, and makes me worry as an elected official.”