The co-founder and chief executive of Twitter had his own account on the service briefly taken over by hackers.
A group referring to itself as the Chuckling Squad said it was behind the breach of Jack Dorsey’s account.
The profile, which has more than four million followers, tweeted out a flurry of highly offensive and racist remarks for about 15 minutes.
Twitter said its own systems were not compromised, instead blaming an unnamed mobile operator.
“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter said in a statement.
“This allowed an unauthorised person to compose and send tweets via text message from the phone number. That issue is now resolved.”
How did it happen?
A source at the company confirmed to the BBC that the hackers had used a technique known as “simswapping” (or “simjacking”) in order to control Mr Dorsey’s account.
This is a technique whereby an existing phone number – in this case one associated with Mr Dorsey’s account – is transferred to a new SIM card, usually after attackers trick or bribe customer support staff at a mobile provider.
By taking control of the number, the attackers were able to post tweets via text message directly on to Mr Dorsey’s Twitter account.
While nowadays the overwhelming number of users use mobile apps to tweet, Twitter’s early days were built around texting in updates – hence the character limit – and Twitter has kept this method, in part because of its use in developing countries with high data costs.
What did the hackers post?
The offensive messages – some posted directly by the @jack account, and others retweeted from other accounts – used the n-word and made anti-Semitic comments referencing the Holocaust.
One post suggested there was a bomb at the social media company’s headquarters.
A chat channel on Discord, a separate website, was apparently set up by the group to discuss and joke about the attack – but was quickly shut down.
The Chuckling Squad has taken credit for a number of attacks on high-profile Twitter accounts recently, including beauty vlogger James Charles and an account belonging to YouTube personality Desmond Amofah, known as @Etika, who died earlier this year in an apparent suicide.
While the security lapse appears to have happened outside the company, it is still an embarrassing incident for Twitter, a service which hosts the world’s most powerful leaders.
Follow Dave Lee on Twitter @DaveLeeBBC
Do you have more information about this or any other technology story? You can reach Dave directly and securely through encrypted messaging app Signal on: +1 (628) 400-7370