Ethereum co-founder Vitalik Buterin has revealed that the recent unauthorized access to his Twitter account was due to a SIM-swap attack.
A SIM-swap attack, also known as simjacking, is a cyber attack where a hacker tricks a mobile carrier into transferring a victim’s phone number to a new SIM card controlled by the attacker. Once in control of the number, the hacker can intercept text messages, calls, and two-factor authentication codes, allowing them to gain unauthorized access to the victim’s social media, bank, and cryptocurrency accounts. This type of attack poses significant risks of financial and data loss.
According to a report by Martin Young for Cointelegraph, Buterin made this revelation on Farcaster, a decentralized social media platform. He stated that he has regained control of his T-Mobile account, which the attacker had taken over by exploiting the SIM-swap vulnerability.
Buterin emphasized the risks associated with linking a phone number to a Twitter account. He noted that even if a phone number is not set up for two-factor authentication (2FA), it can still be used to reset the account password. He admitted that although he had heard advice against using phone numbers for authentication, he had not fully grasped the implications until now.
On September 9, Buterin’s Twitter account was compromised by fraudsters who posted a fake NFT giveaway. The scam led users to click on a harmful link, resulting in collective losses exceeding $691,000.
Following this incident, Ethereum developer Tim Beiko strongly advised that phone numbers be removed from Twitter accounts and that 2FA be enabled. Beiko suggested that enabling 2FA should be a standard practice, especially for accounts with a large following.