Twitter’s Security Team (I refuse to call the site X because that’s a completely stupid name a 9 year old would choose) responded A high-profile hack of the U.S. Securities and Exchange Commission’s Twitter account made headlines around the world.
What do they have to say?
Well, in short – “It’s not our fault.”
Based on our investigation, this leak was not due to a breach of System We can also confirm that the account did not have two-factor authentication enabled at the time of the breach.
What @Safety is saying is that someone hijacked control of a mobile phone number associated with an official SEC account. Some people speculate that this is carried out through a SIM card swap attack.
A SIM swap attack is when scammers try to trick a cell phone provider’s customer service staff into taking control of someone else’s phone number. Sometimes scammers will tell telecommunications companies personal details about their targets, tricking them into believing they are someone they are not.
When a service like Twitter later sends a password reset link or authentication token via text message to the user’s phone number, it ends up in the hands of criminals.
Victims of past SIM swapping attacks include former Twitter boss Jack Dorsey, whose Twitter account was hijacked in 2019.
And, I’m afraid Twitter does allow Simply know and access your mobile phone number to reset your account password.
Another interesting tidbit is that the official SEC Twitter account does not have two-factor authentication (2FA) enabled. I recommend that all users turn this feature on, as it provides an extra layer of security – and can make it more difficult (though not entirely impossible) for criminals to break into accounts.
Frankly, it’s crazy to hear that the SEC hasn’t enabled multi-factor authentication.
Is this the SEC chaired by Gary Gensler? During October’s Cyber Security Awareness Month, he remind everyone Is it important to set up multi-factor authentication to protect their accounts?
Hey, this is Twitter/X/Elon’s idea for a multi-billion dollar vanity project (delete if applicable).
Why not have two-factor authentication (preferably not SMS based as there are better forms of 2FA) mandatory For a verified business account on Twitter?