Last updated on April 19th, 2024 at 02:38 am
The Twitter account of right-wing political commentator Matt Walsh appeared to be hacked on Tuesday evening.
While in the hands of apparent hackers, Walsh’s account made several offensive tweets about other right-wing figures, including Ben Shapiro and Andrew Tate.
While the tweets have since been deleted, many are still visible via the Internet Archive’s Way Back Machine.
One now-deleted tweet claimed “My Twitter isn’t hacked, This is Just the Real Me Coming Out” and included a photo of a phone with multiple two-factor authentication (2FA) codes sent via text message.
As noted by independent journalist Steven Monacelli, the 2FA codes were not just for Walsh’s Twitter account, but for Microsoft and Google accounts as well, suggesting they were also compromised.
This makes it likely Walsh’s phone number was stolen in a SIM-swap attack, allowing hackers to request password resets and receive 2FA codes sent via text.
This attack highlights just how insecure SMS-based 2FA really is. In fact, Twitter recently stopped non-Twitter Blue subscribers from using SMS-based 2FA. The inferior form of 2FA is, however, still available to paying customers like Walsh.
So, if you’re still using SMS-based 2FA, consider switching to a free authenticator app or, for maximum security, a security key.
Update April 20th: Dell Cameron, a reporter at Wired, confirmed that Walsh’s accounts had been compromised via a SIM-swap attack. Cameron reports that a hacker known as Doomed was behind the attack.