In a candid revelation, Ethereum's Co-Founder Vitalik Buterin disclosed that the recent hack of his Twitter account, known as X, was the result of a SIM-swap attack. Speaking on the decentralized social media platform, Farcaster on September 12, Buterin shed light on the incident and offered some valuable lessons learned.
SIM-Swap Attacks on the Rise: Telecom Companies under Scrutiny
A SIM-swap attack, also known as simjacking, is a tactic employed by hackers to seize control of a victim's mobile phone number. Once in possession of the phone number, scammers can exploit two-factor authentication (2FA) to access social media accounts, banking services, and cryptocurrency holdings.
Buterin's revelation serves as a stark reminder of the evolving threats in the digital age and the importance of safeguarding personal information and online accounts from potential vulnerabilities. It additionally calls for increased vigilance among both individuals and service providers to fortify security measures against these types of cyberattacks.
The Vulnerability of Phone Numbers: Password Reset for X Accounts
Buterin explained that the attacker executed a SIM-swap attack by socially engineering T-Mobile, the mobile service provider. This manipulation allowed the hacker to gain control of Buterin's phone number, which subsequently led to compromising his X account.
He emphasized the inherent vulnerability of using a phone number for password recovery on social media platforms, even when it's not utilized for two-factor authentication (2FA). Buterin's experience underscored the importance of users taking proactive measures to protect their online accounts.
"A phone number is sufficient to password reset a Twitter account even if not used as 2FA," Buterin warned, adding that users have the option to "completely remove [a] phone from Twitter." This revelation highlights a critical security flaw that many may not have been aware of.
The hacking incident, which transpired on September 9, involved scammers taking control of Buterin's Twitter account and conducting a fraudulent NFT giveaway. Users were prompted to click on a malicious link, resulting in collective losses exceeding $691,000.
T-Mobile Faces Lawsuit over SIM-Swap Attack Leading to $450,000 Crypto Theft
Notably, this is not the first time that T-Mobile has been associated with such attacks. Finance Magnates reported earlier, that a victim of cryptocurrency theft resulting from a SIM-swap attack has taken legal action against U.S. cell phone carrier T-Mobile, alleging negligence in preventing such scams. According to court documents filed recently, Calvin Cheng, the plaintiff, suffered the loss of 15 Bitcoins valued at over $450,000 due to the attack.
The lawsuit has accused T-Mobile of systemic and repeated failure to safeguard its customers' sensitive personal and financial information against foreseeable attempts to obtain this data illegally. Cheng's case involved a perpetrator impersonating Brandon Buchanan, the Co-Founder of investment fund Iterative Capital, who had also fallen victim to a SIM-swap attack.
The lawsuit highlights that SIM-swap attacks are a well-known method used to gain access to victims' phones, yet T-Mobile allegedly lacked security measures to prevent such incidents. Notably, AT&T, another major U.S. cell phone service provider, has faced similar legal challenges over SIM-swap attacks, and the lawsuit against T-Mobile reflects a growing concern over the responsibility of telecom companies in preventing these increasingly prevalent cybercrimes.