In the Light of Twitter’s Grand Hacks: Why 2FA Didn’t Work

The social media giant Twitter has suffered its second cyber attack in the last two years. Let me outline what happened, why 2FA didn’t work, and what we can learn from the situation.

Unlike you or me, cyber crime has no working hours. As a matter of fact, due to COVID-19 the risks of cyber attacks have increased with the increase of online activities

Cyber criminals around the world are constantly at work finding new ways around security protocols in place.

As you already know if you’ve been following the news lately, Twitter recently sustained a cyber hack that resulted in financial losses for some of their users, and it was the second attack in two years. 

Last year, none other than Jack Dorsey, the founder of Twitter, had his account compromised after a successful SIM swapping scheme.

After moving away from SMS-based 2FA, Twitter has implemented the usage of other authenticator apps like the Google Authenticator for the second factor. However, last week’s incident has shown that 2FA as a concept might not be enough

The hackers managed to gain access to high-profile Twitter accounts, even those using 2FA for protection. And Twitter is not the only social media giant to have suffered cyber attacks or data breaches in recent years. For example, there was Facebook’s Cambridge Analytica breach or the Yahoo data breach that affected all three billion of its user accounts back in 2013. Such disasters prove that these companies should think about more sophisticated authentication, user verification, and fraud prevention systems. 


For today, I’ll focus on Twitter, why 2FA didn’t work for them, and what the best steps to take would be to avoid future attacks. 

How Twitter Became a Victim of Two Hacks in Two Years

Although we don’t yet have the complete picture, we know that this was a social engineering hack where the perpetrator gained access to an internal Slack channel. From there, they managed to acquire the login credentials for Twitter’s backend dashboard. 

As the current authentication process doesn’t incorporate MFA or other contextual clues, which could otherwise have helped prevent this hack, these credentials were all they needed to succeed. How they gained access to the Slack channel in the first place remains to be answered, although reports suggest that an employee had been taken advantage of. 

After gaining access to Twitter’s backend, the hacker overtook a few high-profile accounts including those of Bill Gates, Elon Musk, and Barack Obama — from which they promoted a crypto scam that let them get away with $120,000 in untraceable Bitcoin payments. 

In addition to the financial fraud aspect, this has been a big blow to Twitter’s brand image. 

Last year’s successful takeover of Jack Dorsey’s account took advantage of  the weaknesses of SMS-based 2FA. Back then Twitter’s reliance on SMS-based 2FA meant that in order to be authenticated, the user was required to enter a one-time password that they received via SMS. 

This is where SIM swapping came into play. In this scenario, a hacker would steal your identity to trick your mobile provider into issuing a new SIM card with your phone number. From there, they are able to intercept all of your messages, including the 2FA codes. That’s precisely what happened to Jack Dorsey.

Although you might think this is extremely hard to pull off, all it really takes is for the fraudster to obtain such personal information as your first and last name, social security number, date of birth, or your ID. That is all they would need to get successfully verified as being you. 

Once their new SIM card is active, the original SIM card is shut down, and by the time you realize that your SIM card isn’t working, the hacker has already done their damage. 

On the upside, it’s important to say that mobile operators have imposed stricter verification checks after SIM swapping started to gain a certain footing, but you have to remember that it is humans doing these checks, and the margin for errors in judgement is significant. 

With the constant increase in cyber crime, mobile operators are not the only ones working to upgrade their security protocols. In fact, it is predicted that between 2017 and 2021, cybersecurity spending will have exceeded $1 trillion.

So, what direction should we head in? 

What We Can Learn from the Twitter Hacks: 2FA, MFA and Continuous Authentication

After the SIM swapping incident at Twitter, they moved from SMS-2FA to 2FA that relies on third-party authenticator apps, an authentication method other social media networks such Facebook or Instagram rely on as well. 

While safer than SMS-based 2FA, third-party app 2FA diminishes the user experience. The user needs to open a whole other app, generate and read the code, and then go back into the app they want to sign into to put the code in. 

What’s more, having only two layers of security doesn’t offer a lot of protection today, especially with the first one being username and password most of the time. MFA would come quite handy here.

Not only does it offer another layer of security, but implementing different authentication methods wisely means that they can cover for each other’s weaknesses, therefore ensuring that security, user experience, and privacy are all held to the highest of standards. 

Now, whichever methods companies decide to implement as part of their MFA system, it’s important to note that the process of securing a user’s mobile identity doesn’t stop after the initial authentication — instead, the ID needs to be protected from takeover at all times. 

Enter continuous authentication, the principle that calls for continuous background-based verification checks, which happen when the risk assessment is high. 

The risk of fraudulent activity is at its minimum just after you log in. The longer an app stays open, the more the risks increase. These risks are assessed by relying on contextual factors that include your device info, location info, and sometimes even the cognitive and physiological factors such as speed of interaction or the hand you are using. 

Continuous authentication is capable of securing the mobile identity of a user both at the beginning and throughout their session efficiently, while still providing a frictionless user experience and respecting the user’s privacy. 

IPification fits into MFA systems perfectly, in terms of both initial authentication and ongoing verification and fraud prevention checks. 

At the initial authentication check, IPification authenticates the user within milliseconds and with a single tap. During the user’s session, IPification can verify the user’s identity based on contextual factors, their phone number, network factors, and device information.

In cases like the most recent Twitter hack , authentication technology would not only prevent fraud, but it also serves as a great backup when human error happens. Implementing authentication, user verification and fraud prevention technology capable of effectively securing mobile identities is vital. And if you’re looking for the most advanced solution available right now, look no further than continuous MFA. 

Want to learn more? Let’s talk.

More on our blog