Buterin Regains Control of T-Mobile Account, Unearths SIM-Swap Culprit
Ethereum co-founder, Vitalik Buterin, has uncovered the truth behind the recent hack of his X (Twitter) account. In a revelation made on the decentralized social media platform Farcaster on September 12, Buterin confirmed that a SIM-swap attack was the cause of the breach.
Lessons Learned and Security Implications
The tech luminary, who has since regained control of his T-Mobile account, shed light on the incident. "Yes, it was a SIM swap, meaning that someone socially-engineered T-Mobile itself to take over my phone number," explained Buterin.
Reflecting on the episode, Buterin shared valuable lessons and insights with the community. He emphasized that a phone number alone can serve as the gateway to resetting a Twitter account's password, even without being used as two-factor authentication (2FA). He urged users to consider removing their phone numbers entirely from their Twitter profiles, noting that he had previously underestimated the vulnerability associated with phone numbers in this context.
Scammers Exploit the Hack for a Fake NFT Giveaway
The security breach occurred on September 9, when Buterin's X account was commandeered by scammers. They used the account to orchestrate a fraudulent NFT giveaway, luring victims to click on a malicious link. Unfortunately, this scheme resulted in collective losses exceeding $691,000 for those who fell victim to the deception.
Industry Recommendations for Enhanced Security
In the wake of this incident, Ethereum developer Tim Beiko urged users to remove their phone numbers from their X accounts and activate 2FA as an additional layer of security. Beiko suggested that it should be standard practice for accounts with substantial followings, proposing an automatic activation of 2FA when an account reaches a certain follower threshold, such as 10,000 followers. These recommendations were conveyed to platform owner Elon Musk.
Twitter opsec PSA:
— timbeiko.eth ☀️ (@TimBeiko) September 9, 2023
If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.
If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ
SIM-Swap Attacks: A Persistent Threat
A SIM-swap attack, also known as simjacking, is a technique employed by hackers to take control of a victim's mobile phone number. With access to the victim's number, scammers can manipulate two-factor authentication (2FA) processes, potentially gaining access to social media, banking, and cryptocurrency accounts.
This is not the first instance of T-Mobile being linked to such attacks. In 2020, the telecommunications giant faced a lawsuit over allegations that it enabled the theft of $8.7 million worth of cryptocurrency through a series of SIM-swap attacks. T-Mobile was once again embroiled in a legal dispute in February 2021 when a customer lost $450,000 in Bitcoin due to another SIM-swap attack.