Mandiant's brute-forced X account exposes perils of skimping on 2FA

2024-01-11 17:00

Google-owned security house Mandiant's investigation into how its X account was taken over to push cryptocurrency scams concludes the "Likely" cause was a successful brute-force password attack.

"Normally, 2FA would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," it posted via its now recovered account.

It didn't specifically point to the policy change X announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some have speculated that this may be the reason a brute force attack was achievable.

Mandiant does not have an X account with any kind of verification, a consumer-grade blue tick, or a big org yellow tick, which means it does not pay X and if it did rely on SMS-based 2FA, it would have been removed when the policy change took place in March 2023.

Mandiant did confirm in a blog covering the incident's investigation that there is no evidence to suggest there was a compromise of the systems at Mandiant or its parent Google Cloud.

The postmortem into the account hijack comes days after the US Securities and Exchange Commission also had its X account taken over by what is believed to be a SIM-swapping attack.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/11/mandiant_x_account_brute_forced/

#2FA