Twitter in Serious Need for Better 2FA as Twitterati Questions its Security

Jack Dorsey, the co-founder and CEO of Twitter had his account taken over briefly by the hackers on August 31st. Twitter confirmed when it Tweeted,

“We're aware that Jack was compromised and investigating what happened.”

.@jack got hacked on his own app

— Kyle Kashuv (@KyleKashuv) August 30, 2019

It further stated that the account has been secured with “no indication that Twitter's systems have been compromised.”

As for how did it exactly happen?

“The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number,” read the statement from Twitter Comms.

Maybe Twitter will fix their 2fa now to default to something other than SMS.

— Strip Mall Status (@ledgerstatus) August 30, 2019

The profile — that has more than four million followers — tweeted a flurry of racist and highly offensive remarks during the 15 minutes the account remained hacked. The offensive messages used the n-word and anti-Semitic comments.

The Chuckling squad that has taken credit for a number of attacks on high-profile Twitter accounts recently said it was behind this attack as well.

https://twitter.com/Hooray/status/1167525255600058371

The hackers used a technique known as Simswapping or simjacking to control Dorsey’s account.

In this technique, the existing phone number is transferred to a new Sim card.

“SIM swapping is, it's when someone tricks or bribes someone at a mobile phone provider/store into transferring your cell service to a new SIM card/device they control. Allows interception of text messages, phone calls used for two-factor authentication,” explained Brain Krebs, Author of ‘Spam Nation.'

For those asking what SIM swapping is, it's when someone tricks or bribes someone at a mobile phone provider/store into transferring your cell service to a new SIM card/device they control. Allows interception of text messages, phone calls used for two-factor authentication.

— briankrebs (@briankrebs) August 30, 2019

The attackers were then able to post tweets via text message on to Dorsey’s Twitter account by taking control of the number.

If @jack can be hacked, we're all doomed …

— James A. Gagliano (@JamesAGagliano) August 30, 2019

If Jack Dorsey, the CEO of Twitter can get hacked, we might as well all make our passwords public

— 𝐄𝐱𝐚𝐯𝐢𝐞𝐫 𝐏𝐨𝐩𝐞 (@exavierpope) August 30, 2019

Change your @Twitter and crypto account authentication to non-SMS based 2FA like Google Authenticator immediately. https://t.co/Q9oKZoLTIC

— Justin Sun (@justinsuntron) August 31, 2019