Summary: on May 23rd, 2019, my mobile phone was hacked, then my Twitter account. The attacker changed my Twitter handle from @simon to @simonsw9kww. I got my mobile number back in about one hour. However, I’ve been unable so far to get my @simon Twitter account back, despite numerous tries.
If you can help me, please do.
What happened in details
On May 23rd at 3:05pm PT I received this message on my T-mobile phone:
Normally, you would need a six-digit PIN number to authorize a SIM card change for my phone number. In this case, a malicious attacker managed to do it without the PIN.
I quickly went to a T-mobile store nearby and after some back and forth with their technical support, I managed to get a new SIM card with my number on it. I then spent some extra time asking them to block any new SIM card change in the future, to no avail. They opened a ticket (incident ID: ****-***253), but after FIVE days, I still have no idea how someone managed to get a SIM card with my number without knowing the PIN.
The attacker presumably used my phone number to request a new password for my Twitter account. You don’t need to know what Twitter account is associated with a phone number; you can simply use the phone number to reset the password (this is a security risk if you don’t have multi-factor authentication enabled):
After this, the attacker changed my Twitter username to simonsw9kww, making the account simon available for registration. It is unclear to me whether the attacker has control of the current simon account, or not.
To my great surprise, I have never activated multi-factor authentication (MFA) for my Twitter account, because I’ve been using my simon account since 2006 (one of the first 10,000 accounts on Twitter!), and once Twitter grew in popularity, it never occurred to me that I left it without MFA. It’s the only account that I had without MFA enabled.
I have opened several support tickets in the past few days; and asked a few friends at Twitter to help me in any way they can.
Twitter seems to think that this type of ticket can’t be resolved:
Can you help?
What do I want? Simple: I’d like to get back my simon account. I have spent several hours trying, with no result so far.
If you work at Twitter, and/or if you know someone who can help, please put me in touch with that person.
Thanks for your help.
First consideration/suggestion: please enable MFA for your Twitter account. (it was stupid on my part to forget to do it).
Second consideration: don’t trust your mobile operator. Assume that an attack like this can happen to you, and secure your accounts accordingly. T-Mobile not only didn’t provide any explanation so far (after five days), but failed me by allowing an attacker to obtain my phone number without using my PIN.
Assuming that I will eventually get my simon account back, the damage in this case is minor. But whatever the damage, it seems that it’s harder than ever to sue a mobile operator.