Ethereum co-founder Vitalik Buterin has recovered his Twitter handle after an attack that led to the hijacking of the account. Buterin confirmed his T-Mobile account was a victim of a sim swap that led to the takeover.
A sim swap is a kind of attack in which the attacker contacts your mobile phone carrier and convinces them to activate a new sim card that they control in your name. Once this is done, they can access several personal accounts such as Twitter and reset the password, leading to taking over of the account.
“Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number),” Buterin wrote on Warpcast — a client for the decentralized social protocol Farcaster, where account recovery can be managed via an Ethereum address.
“A phone number is sufficient to password reset a Twitter account even if not used as 2FA,“ Buterin noted. “I had seen the ‘phone numbers are insecure, don’t authenticate with them’ advice before, but did not realize this,” he further stated.
2FA is an additional security feature that you can activate on your Twitter or other accounts. Once activated, no one can access your account without you getting consent from a second means of verification such as your registered email address.
This makes it more difficult for sim swap or other attacks to be easily carried out on your account. Twitter users however seem reluctant to use the feature because there are incidents in which the mobile carrier is unable to send the required code to verify they are the user, hence locking them out of their accounts.
Buterin fell victim to a Twitter account hack a few days ago when his account was hijacked to promote a crypto scam. The hacker first announced the launch of a set of commemorative non-fungible tokens (NFTs) from software provider Consensys which included a malicious link.
His followers were then asked to follow the link to mint the NFT by linking their wallets, many of which complied. This led to the hacker stealing $691,000 in crypto assets through the attack, which was first noticed on Saturday.
Buterin’s father, Dmitriy “Dima” Buterin was the first to raise an alarm following the hack. “Disregard this post, apparently Vitalik has been hacked. He is working on restoring access,” he posted on Sunday 10 September.
Though not sure how he linked his phone number to the account, Buterin guesses it must have been when he signed up for the Twitter Blue premium account.
“I don’t remember when I *added* the number; my guess is that it was required to sign up for Twitter Blue,“ Buterin said.
A Warning to Other Users
Although many Twitter users are skeptical about using 2FA to secure their accounts, it is advisable that you use it to secure it, especially when you sign up to Twitter Blue, as the platform automatically adds your phone number.
Flashbots strategy lead Hasu warned Twitter users to be vigilant, claiming every Twitter Blue account is SIM-swappable.
“If you signed up to Twitter Blue, it automatically added your phone number to your Twitter profile,” Hasu said. “This phone number can be used to reset your account, whether you use it for 2FA or not. Go to settings/profile to remove your phone number right now,” he wrote.