The same hacker who breached 500 ISIS accounts on Twitter has a message for President Trump: change your security settings ASAP.

According to a man who identifies himself online as WauchulaGhost, the president, vice president, and first lady are more vulnerable to hackers because of a basic Twitter security setting they're not using.

WauchulaGhost contacted me about these insecurities on Saturday. I spent the last three days trying to reach the White House for their response to WauchulaGhost's claims. I sent multiple emails, including several directly to Dan Scavino, Donald Trump's head of social media.

On Monday night, WauchulaGhost made it more public, tweeting the emails associated with the accounts and the message: "Change your emails & Fix Settings."

In June, WauchulaGhost made headlines by hacking into pro-ISIS accounts and replacing content with images of porn and gay pride messages. He says he has no interest in hacking the president, but that Trump's security settings may leave him vulnerable to other hackers.

According to WauchulaGhost, @POTUS, @FLOTUS and @VP are more vulnerable because they haven't selected a basic security feature on Twitter that requires you to provide a phone number or email address to reset your password. The current security setting for these three accounts allows anyone to click on "forgot password" and type in @FLOTUS, @POTUS or @VP. The next screen says "we found the following information associated with your account" and gives a partially redacted email address to which it will send a password recovery link.

WauchulaGhost says being able to fill in the missing letters and guess someone's email address is the first step hackers take when trying to breach an account.

"It's not hard for us to go figure out that email," he told CNNTech in a Twitter direct message. "I've taken over 500 Islamic State accounts."

WauchulaGhost says he found the likely email associated with Melania Trump's handle within twenty minutes. He said the email associated with Vice President Mike Pence was easy to guess once you saw the redacted version: vi***************@gmail.com, which WauchulaGhost pieced together as [email protected]. It has since been changed, but the president and first lady's email addresses remain the same. (And the VP account still doesn't have the extra layer of security.)

CNNTech reached out multiple times to the White House and to Scavino to alert them to the lack of security on the accounts.
As of Tuesday morning, we have not received a response.

According to WauchulaGhost, once you have an email address for an account, the next step is gaining access to that email. Common tactics include malware, apps that guess multiple passwords at once, eventually forcing their way in, or using known information about a person to trick them into sharing their password.

"All I have to do is guess the email. Which I have been rather good at doing," WauchulaGhost told CNNTech via Twitter DM. "Then verify the email exists. At that point take the email account, reset Twitter password, boom....I own the Pres. Not saying I'm going to..haha. But it's rather easy for some."

It's likely more difficult than that. A representative from Twitter (TWTR, Tech30) said the company doesn't comment on individual accounts, but pointed out that the White House Communications Agency manages security protocols for White House accounts, which according to Twitter, go beyond two-factor authentication. And even two-factor authentication on its own would make it significantly more difficult for a hacker to take control of their Twitter handles.

But according to former State Department Senior Advisor Chris Bronk, the absence of this security setting on White House accounts opens a potentially dangerous door.

"Is it a grave vulnerability? Probably not. But it's tipping your hand. Every piece of evidence [a hacker] can build up to target your profile can be useful on an attack campaign," Bronk told CNNTech.