No matter how many factors of authentication you hide behind or how strong an algorithm says your password is: hackers gonna hack.
Last week, tens of millions of Twitter user credentials were found on the dark Web—a leak the social network blamed on other recent breaches and a rash of password-stealing malware.
But cybercriminals don’t need to know your birthdate, first pet’s name, or favorite baseball team. And civil rights activist and former Baltimore mayoral candidate Deray Mckesson learned that the hard way.
I was hacked today: my Twitter account, two email addresses, & my phone. It was not due to passwords, they hacked my phone account itself.
— deray mckesson (@deray) June 10, 2016
As detailed in a series of tweets, someone posing as Mckesson called Verizon Friday morning. Armed with the last four digits of his Social Security number, the attacker was able to change the registered SIM on Mckesson’s account to one they controlled, redirecting all calls and texts.
The hacker then triggered a Twitter password reset, and, easily bypassing the two-factor authentication Mckesson uses “on all accounts,” took over his account, tweeting endorsements of Donald Trump. All fraudulent tweets have since been deleted, but not before TechCrunch managed to save a screenshot.
Derby Mckesson Twitter hack
“No, I do not endorse Trump as the next president,” Mckesson tweeted last week. “He cannot be the president of the United States. He is [a] racist [and] a bigot, unfit to lead.”
Two of Mckesson’s email addresses were also breached.
Public figures aren’t the only ones at risk, though. Federal Trade Commission Chief Technologist Lorrie Cranor last week blogged about her experiences as a victim of ID theft.
Hacker Selling 32M Twitter Accounts on Dark Web
Similar to Mckesson’s story, Cranor’s begins with a hacked mobile account.
“A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked up upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers,” she wrote.
Protecting yourself against sophisticated, tech-savvy hackers isn’t always easy. But Cranor suggests you start by establishing a password or PIN required before making changes to your mobile account; different carriers offer this feature in different ways.