Twitter disables tweeting via SMS after multiple accounts were compromised by SIM swapping

Twitter CEO Jack Dorsey and multiple celebrities have had their accounts hacked over the last week as a result of SIM swap attacks.

Twitter has partially addressed one of the security vulnerabilities that allowed multiple accounts to be compromised over the last two weeks by temporarily disabling tweeting via SMS.

Since late August, hackers have compromised multiple Twitter accounts including the accounts of Twitter CEO Jack Dorsey, YouTubers Shane Dawson and James Charles, video game streamer BigJigglyPanda, and actress Chloë Grace Moretz.

The accounts were compromised via SIM swapping – a technique where hackers convince carriers to transfer a target’s phone number to a SIM card that they control. In most of these attacks, when the hackers had gained control of their target’s phone number, they used Twitter’s tweet via SMS service to send out tweets from their target’s Twitter account.

From today, tweeting via SMS will be disabled temporarily.

Twitter Support said it’s making the change because of “vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication” and added that the feature will be reactivated in some markets soon.

The change means that hackers will no longer be able to exploit the specific vulnerability they were using to send tweets from some of the previously compromised Twitter accounts. However, it does little to address the other vulnerabilities associated with SIM swapping.

Most notably, as Twitter Support says in its tweet, Twitter relies on having a linked phone number for two-factor authentication – a security measure that’s meant to prevent accounts from being taken over. Twitter claims that: “This requirement is in place for account recovery.”

But this requirement also allows hackers who have gained control of a phone number through SIM swapping to then take over the associated Twitter account via this account recovery process.

The announcement of this change from Twitter Support comes hours after it was reported that the phone numbers of over 60% of US Facebook users had been exposed online – another blunder that leaves hundreds of millions of people vulnerable to SIM swapping.

Tom Parker

Tom Parker is a head contributor for Reclaim The Net and provides news and analysis on how we can promote free speech, stop censorship, and protect our personal data online. [email protected]