Vitalik Buterin reveals X account hack was caused by SIM-swap attack
Ethereum co-founder Vitalik Buterin has confirmed that the recent hack of his X (Twitter) account was the result of a SIM-swap attack.
Speaking on the decentralized social media network Farcaster on Sept. 12, Buterin said that he has finally recovered his T-Mobile account after the hacker managed to gain control of it via a SIM swap attack.
“Yes, it was a SIM swap, meaning that someone socially-engineered T-mobile itself to take over my phone number.”
The Ethereum co-founder added some lessons and learnings from his experience with X.
“A phone number is sufficient to password reset a Twitter account even if not used as 2FA,” he said, adding that users can “completely remove [a] phone from Twitter.”
“I had seen the ‘phone numbers are insecure, don’t authenticate with them’ advice before, but did not realize this.”
On Sept. 10, Ethereum developer Tim Beiko strongly recommended removing phone numbers from X accounts and having 2FA enabled. “Seems like a no-brainer to have this default on, or to default turn it on when an account reaches, say, >10k followers,” he said to platform owner Elon Musk.
Twitter opsec PSA:
If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.
If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ
— timbeiko.eth ☀️ (@TimBeiko) September 9, 2023
Related: How easy is a SIM swap attack? Here’s how to prevent one
A SIM-swap or simjacking attack is a technique used by hackers to gain control of a victim’s mobile phone number. With control of the number, scammers can use two-factor authentication (2FA) to access social media, bank, and crypto accounts.
It is not the first time T-Mobile has been involved in this type of attack vector. In 2020, the telecoms giant was sued for allegedly enabling the theft of $8.7 million worth of crypto in a series of SIM-swap attacks.
T-Mobile was also sued again in February 2021 when a customer lost $450,000 in Bitcoin in another SIM-swap attack.
Article updated to include additional comments from Tim Beiko.
Magazine: How to protect your crypto in a volatile market: Bitcoin OGs and experts weigh in