Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number).

Main learning re twitter was:

> A phone number is sufficient to password reset a Twitter account even if not used as 2FA. Can completely remove phone from Twitter.

I had seen the "phone numbers are insecure, don't authenticate with them" advice before, but did not realize this

I think the best two-factor authentication is by using the authenticator app which uses 512-RSA grade rotating keys developed by EMC for highly secure government & enterprise environments (think NSA).

product @ grayscale.com 🏁 bio: zachharris.xyz

That’s scary, so they social engineer, the Sim, and then used access from the phone to do a manual reset? Sounds like the real anarchist cookbook shit.

The key thing in this case is that SMS wasn’t part of the 2FA. If you have a phone number in your *account info* (completely unrelated to 2FA), then an attacker can reset your password using that number. You have to delete the number from your account info. :s