en
Back to the list

Vitalik Buterin Explains Twitter Account Hack | Cryptoglobe

source-logo  cryptoglobe.com 12 September 2023 04:44, UTC

Ethereum co-founder Vitalik Buterin has revealed that the recent unauthorized access to his Twitter account was due to a SIM-swap attack.

A SIM-swap attack, also known as simjacking, is a cyber attack where a hacker tricks a mobile carrier into transferring a victim’s phone number to a new SIM card controlled by the attacker. Once in control of the number, the hacker can intercept text messages, calls, and two-factor authentication codes, allowing them to gain unauthorized access to the victim’s social media, bank, and cryptocurrency accounts. This type of attack poses significant risks of financial and data loss.

According to a report by Martin Young for Cointelegraph, Buterin made this revelation on Farcaster, a decentralized social media platform. He stated that he has regained control of his T-Mobile account, which the attacker had taken over by exploiting the SIM-swap vulnerability.

Buterin emphasized the risks associated with linking a phone number to a Twitter account. He noted that even if a phone number is not set up for two-factor authentication (2FA), it can still be used to reset the account password. He admitted that although he had heard advice against using phone numbers for authentication, he had not fully grasped the implications until now.

Source: Farcaster

On September 9, Buterin’s Twitter account was compromised by fraudsters who posted a fake NFT giveaway. The scam led users to click on a harmful link, resulting in collective losses exceeding $691,000.

Source: X

Following this incident, Ethereum developer Tim Beiko strongly advised that phone numbers be removed from Twitter accounts and that 2FA be enabled. Beiko suggested that enabling 2FA should be a standard practice, especially for accounts with a large following.

Twitter opsec PSA:

If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.

If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ

— timbeiko.eth ☀️ (@TimBeiko) September 9, 2023
cryptoglobe.com