Vitalik Buterin recovers T-Mobile account, didn't realize phone number sufficient to reset Twitter

Quick Take

  • Ethereum co-founder Vitalik Buterin has recovered his T-Mobile account after a SIM-swap attack enabled a phishing scam on X (formerly Twitter).
  • Buterin said he didn’t realize a phone number was sufficient to reset the social media account, even if it’s not used for two-factor authentication.

Ethereum co-founder Vitalik Buterin has now recovered his T-Mobile account after confirming he was a victim of a SIM swap attack that led to a phishing scam on X (formerly Twitter).

“Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number),” Buterin wrote on Warpcast — a client for the decentralized social protocol Farcaster, where account recovery can be managed via an Ethereum address.

Despite warnings on the insecure nature of phone numbers for authentication in the crypto space, given the prevalence of SIM swap attacks, Buterin didn’t realize a phone number was sufficient for malicious actors to reset his X account, even if it’s not used for two-factor authentication.

“A phone number is sufficient to password reset a Twitter account even if not used as 2FA,“ Buterin noted. “I had seen the 'phone numbers are insecure, don't authenticate with them' advice before, but did not realize this.”

2FA is a security process for accessing a range of online accounts in which users provide two different authentication methods to verify themselves, such as a password and authenticator app code.

Twitter Blue sign-ups add users’ phone numbers

Many other users might unknowingly have their phone numbers linked to their X accounts, with Buterin speculating he may have added his number when signing up for a Twitter Blue premium X subscription.

“I don't remember when I *added* the number; my guess is that it was required to sign up for Twitter Blue,“ Buterin said.

Flashbots strategy lead Hasu also warned other X users to be vigilant, claiming every Twitter Blue account is SIM-swappable.

“If you signed up to Twitter Blue, it automatically added your phone number to your Twitter profile,” Hasu said. “This phone number can be used to reset your account, whether you use it for 2FA or not. Go to settings/profile to remove your phone number right now.”

A $700,000 phishing attack

Buterin's X account was compromised over the weekend following the SIM swap attack and used in a phishing scam, resulting in the theft of $700,000 worth of cryptocurrencies and NFTs.

The attackers used the account to promote a fake commemorative NFT mint, luring users to a malicious website designed to siphon funds from wallets interacting with it using the popular Pink Drainer software.

Buterin’s incident is the latest in a series of phishing attacks on X — with several prominent crypto figures and organizations, including the NFT project Azuki and the Aptos Foundation, previously targeted.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.