ok - so i have an update - it took a lot of getting people to try to help, but in the end - i managed via getting an swe contact and a public policy contact. you can ask x to reset 2fa - its not hard apparently - help.x.com/en/forms/account-a…
So the hypothesis is that the attacker reset 2fa and then reset your password? (I wasn't sure you were saying they let you, or possibly that they let the attacker reset it)
yup - they let the attacker do it. all you need is the email address and/or phone number. if this information is already public - well, you're hosed @hboon
you should see the email i got when it was time to ask for a reset - maybe you just need to be convincing. aka social engineering
this is btw happening a lot on X. eightsleep, a partner at a16z, etc. - a lot are getting hacked to launch silly scam coins - this is the hype du jour - x.com/launchcoin/with_replies
they even got the two time ex-malaysian prime minister during the pumpfun era of a few months ago
i just cannot imagine how not having 2fa makes sense - we also get recovery codes and that should be used - but you can social engineer your way. strong password also can be reset if they know your email and/or phone number. its just - a shit show @bdlowery
ok - so i have an update - it took a lot of getting people to try to help, but in the end - i managed via getting an swe contact and a public policy contact. you can ask x to reset 2fa - its not hard apparently - help.x.com/en/forms/account-a…
you can also social engineer things.
i wrote about my experience here: farcaster.xyz/bytebot/0x643cb…
So the hypothesis is that the attacker reset 2fa and then reset your password? (I wasn't sure you were saying they let you, or possibly that they let the attacker reset it)
yup - they let the attacker do it. all you need is the email address and/or phone number. if this information is already public - well, you're hosed @hboon
you should see the email i got when it was time to ask for a reset - maybe you just need to be convincing. aka social engineering
Wow
Ok so they reset your 2fa to a new phone number and got access that way?
They still need to enter your password though to even get access to 2fa?
you can after resetting 2fa at the same time reset password. all you need is the email address and/or phone number. take a look at this @bdlowery - 2fa - help.x.com/en/forms/account-a… - then help.x.com/en/forms/account-a…
this is btw happening a lot on X. eightsleep, a partner at a16z, etc. - a lot are getting hacked to launch silly scam coins - this is the hype du jour - x.com/launchcoin/with_replies
they even got the two time ex-malaysian prime minister during the pumpfun era of a few months ago
ok so basically having 2fa makes your account weaker? and It's better to just use a password manager with a strong password
i just cannot imagine how not having 2fa makes sense - we also get recovery codes and that should be used - but you can social engineer your way. strong password also can be reset if they know your email and/or phone number. its just - a shit show @bdlowery