In 2016, Donald Trump's Twitter password was
yourefired: two English words with no substitutions and in a single case. Two English words which would be rather easy to guess for anyone who knew anything about him.
This is known because of the 2012 Linkedin leak: Donald Trump has (or had, in 2012) a Linkedin account, and the unsalted SHA-1 hash (
07b8938319c267dcdb501665220204bbde87bf1d) of his LinkedIn password was included in the leak. It is easy to verify that the password above hashes to this. For instance, using Racket:
> (require file/sha1) > (sha1 #"yourefired") "07b8938319c267dcdb501665220204bbde87bf1d"
We know this was his Twitter password in 2016 because he used the same easy-to-guess password on Twitter, and was too stupid to change it for four years after the leak.
This was discovered and published by three Dutch people in 2016. They tried to inform the US authorities but were ignored. The Dutch authorities did least acknowledge their report.
The English dictionary on my machine has 235,886 words in it. A brute-force attack on Trump's password, given the hash, would take no more than 55 seconds if you could compute a billion hashes a second, which is very easily achievable with reasonable computational resources.
The Linkedin hack was very well-publicised at the time: any competent security organisation would have known about it. Any malicious such organisation certainly used the leaked hashes to try and infer the passwords of people of interest to them.
In other words, it is beyond any reasonable doubt that the Russians had access to Donald Trump's Twitter account in 2016 and before, as, probably, did any number of other state security services. That means, that, for instance, they could read Twitter DMs to him, and fake DMs as him, and in fact send public tweets as him if they wished.
If we assume his password hygiene was as terrible as it seems to be, it's likely that they were all over a large number of his other accounts: for instance his email.