Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number).

Main learning re twitter was:

> A phone number is sufficient to password reset a Twitter account even if not used as 2FA. Can completely remove phone from Twitter.

I had seen the "phone numbers are insecure, don't authenticate with them" advice before, but did not realize this

https://twitter.com/settings/account/login_verification

'Authentication app' or 'Security key' should be the only 2 options there. So far have had no troubles with using my 2fa app.

The issue is no good way to do account recovery for low value accounts at scale and no separation of high value accounts from low value accounts at services like twitter.