Ethereum co-founder Vitalik Buterin has confirmed that the recent hack of his X (Twitter) account was the result of a SIM-swap attack.
Speaking on the decentralized social media network Farcaster on Sept. 12, Buterin said that he has finally recovered his T-Mobile account after the hacker managed to gain control of it via a SIM swap attack.
“Yes, it was a SIM swap, meaning that someone socially-engineered T-mobile itself to take over my phone number.”
The Ethereum co-founder added some lessons and learnings from his experience with X.
“A phone number is sufficient to password reset a Twitter account even if not used as 2FA,” he said, adding that users can “completely remove [a] phone from Twitter.”
“I had seen the ‘phone numbers are insecure, don’t authenticate with them’ advice before, but did not realize this.”
On Sept. 9, Buterin’s X account was taken over by scammers who posted a fake NFT giveaway prompting users to click a malicious link which resulted in victims collectively losing over $691,000.
On Sept. 10, Ethereum developer Tim Beiko strongly recommended removing phone numbers from X accounts and having 2FA enabled. “Seems like a no-brainer to have this default on, or to default turn it on when an account reaches, say, >10k followers,” he said to platform owner Elon Musk.
Twitter opsec PSA:
If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.
If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ
— timbeiko.eth ☀️ (@TimBeiko) September 9, 2023
A SIM-swap or simjacking attack is a technique used by hackers to gain control of a victim’s mobile phone number. With control of the number, scammers can use two-factor authentication (2FA) to access social media, bank, and crypto accounts.
It is not the first time T-Mobile has been involved in this type of attack vector. In 2020, the telecoms giant was sued for allegedly enabling the theft of $8.7 million worth of crypto in a series of SIM-swap attacks.
T-Mobile was also sued again in February 2021 when a customer lost $450,000 in Bitcoin in another SIM-swap attack.
Article updated to include additional comments from Tim Beiko.