Twitter CEO Jack Dorsey was hacked Friday. How to protect your Twitter account
Dorsey was probably a victim of SIM exchange, a practice in which a hacker will bribe or otherwise convince a mobile operator's employee to exchange a phone number for the hacker's device.
Thanks to a feature leftover from Twitter's early days, if a hacker gains control of the phone number associated with your Twitter account, they can text all tweets they want to the Twitter number, 40404, and they will immediately be published to your account. The hacker does not need any other verification ̵[ads1]1; not even your password.
Asked by CNN Business on Saturday, Twitter declined to comment on whether it would change its security practices following the Dorsey incident.
Until it works, there doesn't seem to be any real way to turn off the feature that the hacker or hackers apparently exploited to take over Dorsey's account. In fact, the only way to do that is to make your account smaller overall. But there are still some things you can do to protect your account from this type of attack.
Verification Codes
First, it is always a good idea to always have two-factor authentication, as an additional verification step to verify your identity beyond your regular password. But even two-factor won't protect you from a SIM swap hack.
Not all verifications are made equally. A hacker can cut off security codes sent via text message, making it useless.
Fortunately, Twitter offers several more secure verification methods.
One step better would be to use the Google Authenticator phone app, which will give you codes. A hacker then needs your actual phone to get the codes. Or you can use a physical security token, a small piece of hardware you can buy separately that generates security codes. A hacker would usually need to steal that key to access an account.
Replace your phone number
Right now, the only way to turn off the ability to use text messages to send a tweet from your account is to delete your phone number from Twitter completely. But there is a catch: Doing so will disable two-factor authentication on your account. I tried several times to keep two-factor enabled on my own Twitter account while deleting my phone number from it. Every time it appeared Twitter would allow me to do so, but when I updated the page, two-factor was off.
"You can't get someone from Google Voice on your phone if you try," Krebs told CNN Business.
That's not a perfect solution, Krebs said, since your Google Account can also be hacked via SIM swap if you're ready to receive two-factor authentication text messages for that account. And everyone outside the United States must find an alternative service. But it will still be effective if you enable an alternate verification method on your Google Account and follow other generally good security procedures like setting very strong, unique passwords for all the sites you use and using a password manager to keep track of them.
CNN's Kevin Collier contributed to this report.
