According to twitter ” The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved. “

A SIM swap attack  involves convincing your mobile phone provider to switch your phone number over to a SIM card an attacker controls. Afterwards , all the incoming messages, calls, SMS codes are sent to the attackers own phone that has the swapped number. 

In  Jack Dorsey’s case, the hacker sent tweets via the swapped phone number associated with Jack’s twitter account.  By texting 404-04, a text message  will be posted on the Twitter account  associated with the phone number. 

SIM swap attacks/SMS intercept has been the cause of many security breaches.  Reddit breach of august 2018 was caused by SMS 2FA interception. According to Reddit “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA”

SMS/SIM as a method of user authentication is already deprecatedin NIST Identity guidelines. 

Authentication factors based on challenge-response protocols such as WebAuthN, using the user’s smartphone as proof of possession and/or biometrics  is far more secure compared to one-time passwords.  


Discover more from Cyber Insights

Subscribe to get the latest posts sent to your email.

One thought on “Twitter CEO’s account hacked via SIM-card swap attack”
  1. Hi there every one, here every one is sharing these kinds of knowledge,
    so it’s fastidious to read this blog, and I used to pay
    a quick visit this blog every day.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.