Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number).

Looks like everyone dropped the ball here.

X shouldn’t enable phone recovery by default, it’s an obsolete practice.

T-Mobile should use PINs to thwart social engineers (we’ve known about SIM swaps for years) + special procedures for public figures who are obvious targets (flag set=call escalation, added verif).

This isn’t even 20/20 hindsight; how to prevent exactly this type of attack is well documented by now, and virtually 100% of those hacks follow the same recipe.

That’s why I’m reluctant to even give my phone number to sensitive services - even if they say otherwise, I’m worried they’ll use it for recovery.