In order to protect their account better against attackers, Twitter users can set up a two-factor authentication (2FA) in the future also without giving their mobile number. So far, the specification of such a number was mandatory, so that the necessary for 2FA login codes could be sent via SMS to this number. Users had criticized this requirement for some time, mainly because of security concerns.
In retrospect, SMS-based two-factor authentication could no longer be deactivated even if the second security feature was an authenticator app or a hardware security key.
The problem: With a method known as sim-swap, attackers could gain access to accounts via the SMS option, something that has happened time and again over the past few years.
In a sim-swap, the perpetrators adopt a digital identity by, for example, by ordering their victim's data from their mobile service provider to order a new sim card. So they can intercept the SMS sent two-factor authentication codes and log in to the foreign account.
Twitter became active only after hackers managed to use this method to take over the official account of Twitter CEO Jack Dorsey in August. The strangers then sent racist and vulgar tweets to 4.2 million followers via their account.