Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number).

Main learning re twitter was:

> A phone number is sufficient to password reset a Twitter account even if not used as 2FA. Can completely remove phone from Twitter.

I had seen the "phone numbers are insecure, don't authenticate with them" advice before, but did not realize this

I don't remember when I *added* the number; my guess is that it was required to sign up for twitter blue.

Anyway, glad to be on farcaster, where my account recovery can be controlled by a good wholesome ethereum address :)

So if I'm understanding correctly, your account had a mobile number associated, but it was not enabled for 2FA, and even though you weren't using SMS 2FA the hackers were still able to take over via the mobile number?

Is that correct?

If so I really dislike that Twitter Blue requires a mobile number to sign up.