Twitter users must be glad after the microblogging service announced that from now users can disable the SMS-based 2FA method for their accounts and use alternative methods like OTP authentication or a security key.
“We’re also making it easier to secure your account with 2FA. Starting today, you can enroll in 2FA without a phone number,” Twitter said in a post.
Earlier, users were required to register their phone numbers and enable the SMS-based 2FA method, even if they didn’t want to.
However, several users claimed that they’re unable to disable the SMS-based 2FA method, which exposes their accounts to attackers.
The downside in this SMS-based 2FA is that hackers can perform a SIM swap attack to hijack a user’s phone number, bypass 2FA, and then compromise the user’s account. Several high-profile accounts have been hacked using this attack method.
Twitter shifted on its decision to make SMS-based 2FA mandatory only after hackers used a SIM swap attack to break into its CEO Jack Dorsey’s Twitter account.
According to an official statement, a hacking group named “Chuckle Squad” used the SIM Swapping Attack technique to take over Jack’s account by exploiting the cell carrier vulnerability, which enabled them to post anti-Semitic comments in his account feed.
Describing how the account got hacked, Twitter said, “The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.”
Recently, a security blunder by Twitter exposed phone numbers and email addresses of its users who opted for 2FA protection. The social networking company stated that user contacts had been used for targeted advertising purposes.
In an official statement, Twitter stated that an error in its “Tailored Audiences and Partner Audiences advertising system” unintentionally used the information, provided by users, to run targeted ads.
“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” Twitter said in a statement.