How Activist DeRay Mckesson’s Twitter Account Was Hacked

Kate Conger, writing for TechCrunch:

After regaining control of his Twitter account, Mckesson explained that the hacker or hackers were able to take over by convincing Verizon to reset his SIM. With the SIM reset, the person responsible was able to receive text messages intended for Mckesson and therefore bypass the two-factor authentication the activist used to keep his account secure.

“Verizon takes the security and privacy of our customers very seriously. We are aware of Mr. Mckesson’s claims and Verizon security teams are investigating,” Verizon told TechCrunch.

Goes to show that two-factor authentication is only as strong as the second factor — and with Verizon it would appear your phone is not a strong factor. Scary.

Update: All the attacker needed were the last four digits of Mckesson’s SSN.

Friday, 10 June 2016