Anyone who works in computer security knows that they should enable two-factor authentication (2FA) on their accounts.
2FA provides an extra layer of security. A hacker might be able to guess, steal, or brute force the password to your account, but they won’t be able to gain access unless they also have a time-based one-time password.
So why didn’t Mandiant adopt 2FA to protect its Twitter account (which was hacked last week for promoting a cryptocurrency scam)?
Mandiant promised in the wake of the hack to share details of what happened, and — true to its word — it That’s what it does.
But Mandiant’s explanation of how he was hacked raises more questions.
We have completed our investigation into the Mandiant X account last week
took over and determined that this might be a brute force password attack,
Only for this single account.
They seem to be saying that someone tried over and over again to break into Mandiant’s Twitter account, or rather, used a computer to do it for them… and eventually they got lucky.
If that’s the case, you have to wonder how long and complex Mandiant’s Twitter password is.
Presumably Mandiant has changed the password by now, so why don’t they tell us what the password is? If we knew how much effort a hacker would have to put in to crack Mandiant’s password, and how long it might take, maybe we could all learn something.
postscript. “possible”? It sounds like Mandiant isn’t sure.
My guess is that Mandiant’s Twitter account may have been hacked in a similar manner to CertiK, another company that was hacked around the same time.
In this case, the hacker contacted CertiK, posing as Forbes reporter, and tricked an employee into clicking on a link that pretended to be an interview calendar scheduling link.
Anyway, let’s take a closer look at what Mandiant has to say about its security breach:
Normally 2FA would mitigate this, but due to some team transitions and changes in X 2FA policy, we are not fully protected. We have made changes to our processes to ensure this does not happen again.
Well, there is a carefully worded sentence! Mandiant seems to be deliberately avoiding saying that its Twitter account doesn’t have 2FA enabled, but that’s the only way I can explain it.
I think it would be quite embarrassing for a cybersecurity company to admit that they don’t have 2FA enabled.
But then there’s the part about “Changes in 2FA policy for X” (X is the stupid name we should be using for Twitter now, but I’m not playing that game right now…).
My guess is that Mandiant is referring to changes to 2FA that Twitter announced last February. Twitter said it will remove SMS-based 2FA in March 2023 for all subscribers except paid Twitter Blue subscribers, and anyone who doesn’t want to lose access to Twitter will have to disable 2FA in advance.
At the time, I criticized Twitter’s decision, saying it would make it less safe for some users.
SMS-based 2FA is one of the weakest ways to implement 2FA (because of SIM swap attacks), but it’s still better than no 2FA.
It seems to me that Mandiant removed the SMS-based 2FA protection from its account (presumably out of fear that it would be locked out when Twitter only offered premium features) but never replaced it with a more robust alternative such as hardware it. Security key-based or application-based authenticator.
I know that setting up multi-factor authentication can get more complicated when you’re dealing with accounts used by teams rather than individuals, but there are ways around this. The truth is, there is no legitimate reason for any company (especially a security company) not to employ 2FA to protect their accounts.
Mandiant published a blog post about hackers and the CLINKSLINK wallet-exhausting malware linked to this attack.
